ABAC(Assion Access Control) - 세션 태그 기반 Attribute-based access control 시도
https://docs.aws.amazon.com/ja_jp/IAM/latest/UserGuide/id_session-tags.html
https://docs.aws.amazon.com/ja_jp/IAM/latest/UserGuide/introduction_attribute-based-access-control.html
필요한 물건
AWS 계정
절차.
이번 시도의 구성.
1. 롤 만들기
Role
role
policy
tag
test-stg-role
test-role-policy
env:stg
test-dev-role
test-role-policy
env:dev
Role용 Policy
test-role-policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "TestAccessSSM",
"Effect": "Allow",
"Action": [
"ssm:*"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/env": "${aws:PrincipalTag/env}"
}
}
}
]
}
Role용 Trust relationship
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::XXXXXXXXXXXX:root"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
2. IAM User 만들기
IAM User
role
policy
tag
test-stg
test-user-policy
env:stg
test-dev
test-user-policy
env:dev
IAM User용 Policy
test-user-policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "TestAssumeRole",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": [
"arn:aws:iam::XXXXXXXXXXXX:role/test-stg-role",
"arn:aws:iam::XXXXXXXXXXXX:role/test-dev-role"
],
"Condition": {
"StringEquals": {
"aws:ResourceTag/env": "${aws:PrincipalTag/env}"
}
}
}
]
}
3. 파라메터 스토어 만들기
Parameter store
name
tag
value
test-stg
env:stg
임의로
test-dev
env:dev
임의로
4. 테스트 결과
4-1. 테스트 결과(롤러 스위치)
No
From(User)
To(Role)
Result
1
test-stg
test-stg-role
OK
2
test-stg
test-dev-role
NG
3
test-dev
test-stg-role
NG
4
test-dev
test-dev-role
OK
1. IAM User: test-stg → Role: test-stg-role
$ aws sts assume-role \
> --role-arn arn:aws:iam::XXXXXXXXXXXX:role/test-stg-role \
> --role-session-name my-session \
> --profile test-stg
{
"Credentials": {
"AccessKeyId": "XXXXXX",
"SecretAccessKey": "XXXXXX",
"SessionToken": "XXXXXX",
"Expiration": "2020-02-24T09:08:55+00:00"
},
"AssumedRoleUser": {
"AssumedRoleId": "XXXXXX:my-session",
"Arn": "arn:aws:sts::XXXXXXXXXXXX:assumed-role/test-stg-role/my-session"
}
}
2. IAM User: test-stg → Role: test-dev-role
$ aws sts assume-role \
> --role-arn arn:aws:iam::XXXXXXXXXXXX:role/test-dev-role \
> --role-session-name my-session \
> --profile test-stg
An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::XXXXXXXXXXXX:user/test-stg is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::XXXXXXXXXXXX:role/test-dev-role
3. IAM User: test-dev → Role: test-stg-role
$ aws sts assume-role \
> --role-arn arn:aws:iam::XXXXXXXXXXXX:role/test-stg-role \
> --role-session-name my-session \
> --profile test-dev
An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::XXXXXXXXXXXX:user/test-dev is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::XXXXXXXXXXXX:role/test-stg-role
4. IAM User: test-dev → Role: test-dev-role
$ aws sts assume-role \
> --role-arn arn:aws:iam::XXXXXXXXXXXX:role/test-dev-role \
> --role-session-name my-session \
> --profile test-dev
{
"Credentials": {
"AccessKeyId": "XXXXXX",
"SecretAccessKey": "XXXXXX",
"SessionToken": "XXXXXX",
"Expiration": "2020-02-24T09:09:52+00:00"
},
"AssumedRoleUser": {
"AssumedRoleId": "XXXXXX:my-session",
"Arn": "arn:aws:sts::XXXXXXXXXXXX:assumed-role/test-dev-role/my-session"
}
}
4-2. 테스트 결과(리소스 액세스)
No
From(User)
To(Parameter store)
Result
1
test-stg
test-stg
OK
2
test-stg
test-dev
NG
3
test-dev
test-stg
NG
4
test-dev
test-dev
OK
1. IAM User: test-stg → Parameter Store: test-stg
$ aws ssm get-parameter --name test-stg --profile test-stg-role
{
"Parameter": {
"Name": "test-stg",
"Type": "String",
"Value": "test",
"Version": 1,
"LastModifiedDate": "2020-02-24T15:35:40.814000+09:00",
"ARN": "arn:aws:ssm:us-east-1:XXXXXXXXXXXX:parameter/test-stg"
}
}
2. IAM User: test-stg → Parameter Store: test-dev
$ aws ssm get-parameter --name test-dev --profile test-stg-role
An error occurred (AccessDeniedException) when calling the GetParameter operation: User: arn:aws:sts::XXXXXXXXXXXX:assumed-role/test-stg-role/botocore-session-XXXXXXXXXX is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:us-east-1:XXXXXXXXXXXX:parameter/test-dev
3. IAM User: test-dev → Parameter Store: test-stg
$ aws ssm get-parameter --name test-stg --profile test-dev-role
An error occurred (AccessDeniedException) when calling the GetParameter operation: User: arn:aws:sts::XXXXXXXXXXXX:assumed-role/test-dev-role/botocore-session-XXXXXXXXXX is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:us-east-1:XXXXXXXXXXXX:parameter/test-stg
4. IAM User: test-dev → Parameter Store: test-dev
$ aws ssm get-parameter --name test-dev --profile test-dev-role
{
"Parameter": {
"Name": "test-dev",
"Type": "String",
"Value": "test",
"Version": 1,
"LastModifiedDate": "2020-02-24T15:27:07.440000+09:00",
"ARN": "arn:aws:ssm:us-east-1:XXXXXXXXXXXX:parameter/test-dev"
}
}
감상
Reference
이 문제에 관하여(ABAC(Assion Access Control) - 세션 태그 기반 Attribute-based access control 시도), 우리는 이곳에서 더 많은 자료를 발견하고 링크를 클릭하여 보았다 https://qiita.com/sirotosiko/items/8fec2e69061485af4352텍스트를 자유롭게 공유하거나 복사할 수 있습니다.하지만 이 문서의 URL은 참조 URL로 남겨 두십시오.
우수한 개발자 콘텐츠 발견에 전념 (Collection and Share based on the CC Protocol.)