AWS IAM

Use Sym to seamlessly shift users in and out of IAM roles.

Overview

Sym's AWS IAM Strategy uses a dedicated IAM role to move users in and out of IAM Groups.

πŸ“˜

Consider your session lengths

Sym access will provide your users with the keys to access escalated permissions, but AWS still governs the bounding sessions. This means:

  • If your Sym access is shorter than your default session length, users who access an escalated role will retain that role until their session times out.
  • Conversely, if your Sym access is longer than your default session length, users may be logged out and have to re-authenticate.

πŸ“˜

This integration Strategy relies on a special connector

To use the AWS IAM Strategy, you'll need to set up the AWS IAM Connector module, too!

Example implementation

# A strategy uses an integration to grant people access to targets
resource "sym_strategy" "this" {
  type = "aws_iam"
  name = "${var.environment}-strategy"

  integration_id = data.sym_integration.iam.id
  targets        = [for target in sym_target.targets : target.id]
}

# A target is a thing that we are managing access to
resource "sym_target" "targets" {
  for_each = { for target in var.targets : target["group_name"] => target }

  type  = "aws_iam_group"
  label = each.value["label"]
  name  = each.value["group_name"]

  settings = {
    iam_group = each.value["group_name"]
  }
}

Did this page help you?