As mentioned in my previous post covering how to prevent objects from being accidentally deleted, this one will cover ECS Identity and Access Management (IAM).
Why IAM
ECS Identity and Access Management is an excellent way to implement granular control on user permissions. It is required for object lock enabled buckets and has led us to start using IAM as the only was to provision users and their access to ECS. Like the blog post mentioned above has shown, it is also an easy way to ensure that users are unable to delete objects if this is required.
What did we struggle with?
Backup ONE provides Managed Services for ECS and in that customer base, as well as our own publicly available systems, we have struggled with the following issues.
The most simple approach would be to create a user and set the permissions using the ECS system policy ECSS3FullAccess. Everything will work just fine except that access is not restricted to the buckets a user should have access to. Check the comments on permissions you may not want to be enabled which would all be enabled when using the ECSS3FullAcdess policy.
The second approach was to create a user specific policy that limits the resources to the buckets the user should have access to. This achieves the goad to limit access but should this application want to list all buckets, this would fail.
How to achieve restricted access while being able to list buckets?
One would not believe it, but it took us a while to figure out the way we now implement IAM 😊
Having two S3 permission sets in a policy achieves everything that we want to.
Process flow to implement this
The process flow can either be implemented using the ECS UI in combination with the AWS CLI Tools, it could be automated using the Rest API, it can be done using a Postman Collection with prepared variables to issue the commands, curl or any other way you feel comfortable with.
Whatever you choose, these are the steps we follow:
With this, the configuration is completed and safe.
Comment on permissions
Based on our experience with operations in different customer environments, a few words on selected permissions available for the S3 user policy.
Bucket level permissions:
Object Lock permissions should only be granted if they are really required. Should a user enable compliance mode and a retention period, there is no way to delete this data prior to retention expiry. Especially for service providers this may be dangerous. Permissions:
IAM Implementation support required?
Should you look for JSON examples for policies or if you are looking for assistance to develop an IAM concept, do not hesitate to reach out. We can provide postman collections or examples that allow to start quickly with custom settings and permission sets.
Looking for other ECS related information?
Do not hesitate to reach out to Backup ONE AG using the contact form in our website. We’ll be happy to assist. Ideas for additional posts are welcome 😊.
Das sind weitere Beiträge, die Sie interessieren könnten.
Zur Blogübersicht