AWS IAM: Restrict STS assume-role to specific users

Today I learned! AWS gives you the ability to allow users of one account (let’s give it account number 5555–5555–5555) to assume a role in another (we’ll give it 6666–6666–6666). This is pretty straightforward stuff that, as an AWS administrator, you’ll learn sooner rather than later. AWS provides a tutorial here: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html

What I learned is that you can further restrict access to the role to certain users within an account with a properly crafted conditional statement. I’ve wondered about this for a long time and either a co-worker or someone much smarter than myself figured it out. Thanks, smart person!

Let’s examine the trust policy of such an IAM role. In the 6666–6666–6666 account, there’s a role called “RemoteAdmins,” so its ARN is arn:aws:iam::666666666666:role/RemoteAdmins. Its trust policy states two things. First, users assuming the role must have already authenticated using two-factor auth (aws:MultiFactorAuthPresent = true). Second, only selected users from the 5555–555–5555 account may assume this role (StringEquals = aws:username, being one of the usernames in the list).

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::555555555555:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:username": [
"jecarter",
"wjclinton",
"bhobama",
"jrbiden"
]
},
"Bool": {
"aws:MultiFactorAuthPresent": "true"
}
}
}
]
}

Brilliant! Unfortunately, I’m not aware of a way to declare that only members of a group may assume a role. If you are aware a way to grant cross-account access to groups, drop a comment :)