-
Notifications
You must be signed in to change notification settings - Fork 20
Multiple Accounts Considerations
In the following, potential ways to implement multiple accounts (#88) are listed for AWS and Azure respectively. They are either applicable (:heavy_check_mark:) or not (:x:) in the context of the clouditor.
Goal: Account A (e.g. DEV account) allows Account B (CLOUDITOR account) read access to A's resources
Steps:
- DEV creates a role, allowing ("Effect") the CLOUDITOR ("Principal") to assume the role ("Action")
- DEV attaches the SecurityAudit policy to the role (no permissions otherwise due to the principle of least privilege)
- DEV provides CLOUDITOR the link (e.g. https://signin.aws.amazon.com/switchrole?roleName=<ROLENAME_CREATED_IN_STEP1>&account=<ID_OF_PRINCIPAL>) or ARN (arn:aws:iam::<ID_OF_PRINCIPAL>:role/<ROLENAME_CREATED_IN_STEP1>) to switch roles
- CLOUDITOR switches the role
Switching roles can be done via
- the AWS console,
- AWS CLI, or
- programmatically
How it works (see also this answer on stackoverflow):
- The Security Token Session (STS) provides the CLOUDITOR with temporary credentials consisting of an access key (beginning with ASIA), a secret, and additionally a security token
- The CLOUDITOR uses these credentials to switch to the role of DEV, which was created in step 1 and has the permissions from step 2
- No additional costs emerge for assuming roles
Notes:
- AWS Organizations isn't necessary
- Roles only within a single partition, e.g. no cross account access between aws and aws-cn (China) partition possible.
"AWS Resource Access Manager (RAM) is a service that enables you to easily and securely share AWS resources with any AWS account or within your AWS Organization. [...] share those resources across accounts in three simple steps: create a Resource Share, specify resources, and specify accounts."
- Supports organization units (OUs) as principals (better manageable, e.g. put PROD and NON-PROD under one OU)
- CLOUDITORs access is constrained through its policies and SCPs
- Limits for number of resources and principals
- No costs emerge for using AWS RAM
- Which services can be shared to what extent is limited (see Shareable AWS resources), e.g. DynamoDB or S3 aren't supported.
- Costs based on number of rule and conformance pack evaluations
- There are AWS Managed Config Rules and Custom Config Rules
- NOT TESTED YET
Besides assuming roles (which does not need an AWS Organization), there is no mechanism in an AWS Organizations to delegate access (e.g. via policy inheritance).
- Updating UI such that it can set up multiple cloud accounts and show the respective scans for the different accounts
- Data model updates: Right now, only one account per cloud can be stored in the DB.
- Discovering and scanning have to be adapted to handle multiple accounts