AWS has a feature called cross-account access where you can create an IAM role where you setup a trusted entity that you give a policy. That entity can then delegate access to that role to its own entities. AWS typically recommends this for a 3rd party service that is accessing an AWS account on its customers' behalf.
This avoids having to save a customer's access key credentials at a third party source but the third party source could be compromised and use the cross-account role. It's also possible to create a specific IAM user for the use case, assign it an appropriate policy, and hand out the access keys for it.
It seems like the risk is the same either way. I understand that cross-account will use STS and generate temporary credentials but this doesn't really make anything safer if the 3rd party gets compromised. The trusting entity would have to either disable the role or disable the api key.
Aucun commentaire:
Enregistrer un commentaire