Configure a CTE COS S3 Role for Guarded Buckets
AWS provides the IAM Role feature that contains certain specific permissions. A user can assume the IAM Role and therefore take on those permissions. CTE COS S3 provides a special feature using this IAM Role to prevent access to one or more buckets outside the CTE COS S3 protection as shown in the following diagram:
This step is optional.
Only hosts that are configured with the CTE COS S3 Role can access the protected buckets. All other access attempts from any hosts where the CTE COS S3 Role is not configured, including attempts made through the AWS S3 Console, are blocked for the protected buckets.
This is a one-time configuration process. After the CTE COS S3 Role is configured on a host by the system or security administrator, all authorized users in the host can access the protected buckets.
Prerequisites
To set up a CTE COS S3 Role, you need a delegated IAM user, role, and policy. The delegated IAM user should be created by the AWS Administrator without any specific privileges. The role and policy must be created by a user who has at least the following privileges:
-
iam:ListPolicies
-
iam:CreatePolicy
-
iam:GetPolicyVersion
-
iam:ListRoles
-
iam:ListRolePolicies
-
iam:ListAttachedRolePolicies
-
iam:AttachRolePolicy
-
iam:UpdateAssumeRolePolicy
-
iam:CreateRole
-
iam:GetRole
Procedure
-
In the IAM Management Console, create a policy that allows access to specific S3 resources. You can leave the policy open to include all S3 resources in the account or include only those buckets that require CTE protection. Make sure you name the policy something that you will remember.
You can also create the policy as an inline policy after you create the CTE COS S3 Role later in this procedure.
For example, you can create a policy called VTE_S3_Role_Policy that allows access to the single S3 bucket
vte-cos-s3-rtb
. To verify that the policy restricts access to that bucket, you can look at the Resource allocation in the Policy summary.The full JSON for the the VTE_S3_Role_Policy is:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor1", "Effect": "Allow", "Action": "s3:*", "Resource": [ "arn:aws:s3:::vte-cos-s3-rtb", "arn:aws:s3:::vte-cos-s3-rtb/*" ] } ] }
-
Create a new role that you can use for the CTE COS S3 Role. For example, you could call the role VTE_S3_Role.
-
Assign the CTE COS S3 policy you created to the role, or click Add inline policy to create a new policy. For example:
-
Create a delegated IAM user for the CTE COS S3 Role. The user does not require any privileges because its only job is to assume the CTE COS S3 Role. The delegated IAM user can either be in the same account as the role or it can be in a different trusted account. For example, you could create a user called VTE_S3_User with no privileges.
-
Set "Trusted Entities" to the delegated IAM user on the Trust relationships tab. For example:
-
Configure the CTE COS S3 Role with the credentials of the delegated IAM user you created earlier by entering the following command in the command line on the host system:
voradmin cos s3 role config [<aws_key_id> <aws_secret_key> <user_arn> <role_arn>]
where:
-
<aws_key_id>
is the AWS secret key ID for the delegated IAM user that you created. -
<aws_secret_key>
is the AWS secret key or the delegated IAM user that you created. -
<user_arn>
is the Amazon Resource Name for the delegated IAM user that you created. -
<role_arn>
is the Amazon Resource Name for the delegated IAM Role that you created.
If you omit any of the optional parameters, the
voradmin
command prompts you for that information.For example, if the AWS account number for the delegated IAM user is 1XXXXXXXXXXX, the user name is VTE_S3_User, and the CTE COS S3 Role is VTE_S3_Role, you would enter:
voradmin cos s3 role config AKIA****P KQSm****D arn:aws:iam::1XXXXXXXXXXX:user/VTE_S3_User arn:aws:iam::1XXXXXXXXXXX:role/VTE_S3_Role
After you configure the user and assign the CTE COS S3 Role, CTE will access the S3 bucket through the delegated IAM user account using temporary credentials that CTE regenerates periodically. These credentials are maintained entirely by CTE and are never exposed to end users.
-