AWS RBAC Guide

Introduction

Role-Based Access Control (RBAC) in AWS allows you to manage permissions by assigning users or groups to roles with specific policies. This ensures that each user only has access to what they need.

Key Concepts
  • IAM Role: A set of permissions you can assign to AWS resources or users.
  • IAM Policy: Defines allowed or denied actions for resources.
  • Principle of Least Privilege: Users get only the permissions necessary to perform their tasks.
Scenario: RBAC for a Development Team

Imagine you have a development team working on a web application hosted on AWS. You need to give different levels of access to developers, testers, and system administrators.

  • Developers: Can deploy code to Lambda and access S3 buckets for testing, but cannot change IAM roles.
  • Testers: Can read data from S3 and DynamoDB but cannot deploy code.
  • System Administrators: Can manage IAM roles, monitor CloudWatch logs, and modify all resources.

To implement this:

  1. Create IAM Policies for each team:
    • DeveloperPolicy → allows Lambda updates and S3 read/write.
    • TesterPolicy → allows read-only access to S3 and DynamoDB.
    • AdminPolicy → full access to all resources including IAM and CloudWatch.
  2. Create IAM Roles and attach the corresponding policies:
    • DeveloperRole → attaches DeveloperPolicy.
    • TesterRole → attaches TesterPolicy.
    • AdminRole → attaches AdminPolicy.
  3. Assign team members to the corresponding roles.
Example IAM Policy JSONs

DeveloperPolicy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "lambda:UpdateFunctionCode",
        "s3:GetObject",
        "s3:PutObject"
      ],
      "Resource": "*"
    }
  ]
}

TesterPolicy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "dynamodb:GetItem",
        "dynamodb:Scan"
      ],
      "Resource": "*"
    }
  ]
}

AdminPolicy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "*",
      "Resource": "*"
    }
  ]
}

With this setup, each team only has access to what they need, following the principle of least privilege. Developers can deploy and test, testers can validate data without changing anything, and admins can manage the system.

Additional Notes
  • Use IAM Groups to manage multiple users with the same role.
  • Enable MFA (Multi-Factor Authentication) for sensitive roles like AdminRole.
  • Regularly review policies to ensure they follow the principle of least privilege.