AWS IAM: Restrict STS assume-role to specific users

Today I learned! AWS gives you the ability to allow users of one account (let’s give it account number 5555–5555–5555) to assume a role in another (we’ll give it 6666–6666–6666). This is pretty straightforward stuff that, as an AWS administrator, you’ll learn sooner rather than later. AWS provides a tutorial here: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html

What I learned is that you can further restrict access to the role to certain users within an account with a properly crafted conditional statement. I’ve wondered about this for a long time and either a co-worker or someone much smarter than myself figured it out. Thanks, smart person!

Let’s examine the trust policy of such an IAM role. In the 6666–6666–6666 account, there’s a role called “RemoteAdmins,” so its ARN is arn:aws:iam::666666666666:role/RemoteAdmins. Its trust policy states two things. First, users assuming the role must have already authenticated using two-factor auth (aws:MultiFactorAuthPresent = true). Second, only selected users from the 5555–555–5555 account may assume this role (StringEquals = aws:username, being one of the usernames in the list).

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::555555555555:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "aws:username": [
            "jecarter",
            "wjclinton",
            "bhobama",
            "jrbiden"
          ]
        },
        "Bool": {
          "aws:MultiFactorAuthPresent": "true"
        }
      }
    }
  ]
}

Brilliant! Unfortunately, I’m not aware of a way to declare that only members of a group may assume a role. If you are aware a way to grant cross-account access to groups, drop a comment :)