Document update - IAM roles for task - aws:SourceArn usage
aws-Ninja opened this issue · comments
Hello, this is a suggest update for "Creating an IAM role and policy for your tasks" section of our public documentation IAM roles for tasks,
It is recommended that you use the aws:SourceAccount or aws:SourceArn condition keys to scope the permissions further to prevent the confused deputy security issue. These condition keys can be specified in the trust relationship or in the IAM policy associated with the role
With aws:SourceArn we can lock down the IAM role to all ECS tasks within the account to assume it. For example,
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"ArnLike": {
"aws:SourceArn": "arn:aws:ecs:*:1234567890:task/*"
}
}
}
]
}
However, it is not yet supported to lock down the IAM role to only allow tasks from specific cluster.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"ArnLike": {
"aws:SourceArn": "arn:aws:ecs:*:1234567890:task/my-cluster-name/*"
}
}
}
]
}
To set proper expectation, can we add following lines to clarify the scope of current supported usage for aws:SourceArn?
Suggest line to add:
Using `aws:SourceArn` condition key to lock down IAM role to cluster level is not supported currently.
Feel free to reach out to xuyiruan at amazon dot com if you need any further info. thanks.
We appreciate this suggestion and are incorporating it into the docs.