AWS IAM Access Strategy
Sym's AWS IAM Strategy uses a dedicated IAM role to move users in and out of IAM Groups.
You can generate this!
You can automatically generate an AWS SSO Flow with
symflow generate aws-iam
!Otherwise, follow the AWS Runtime Setup tutorial to set up your AWS dependencies.
Connect the Sym Runtime with your AWS Account
Follow the AWS Runtime Setup tutorial on the main AWS page to set up your runtime_connector
module.
Add an AWS IAM Integration
Define the IAM Connector
The AWS IAM Access Strategy relies on a special module iam-connector
. This module defines the AWS IAM Resources that enable Sym to manage IAM Groups in your AWS Account
module "iam_connector" {
source = "symopsio/iam-connector/aws"
version = ">= 2.0.0"
# This environment should match the environment defined in the environment.tf generated by `symflow init`
environment = local.environment_name
runtime_role_arns = [module.runtime_connector.sym_runtime_connector_role.arn]
}
Define the AWS IAM Permission Context Integration
Define a sym_integration
resource with type = permission_context
. This tells Sym to assume the AWS IAM Role defined by the IAM Connector module when managing your AWS IAM Groups, and will be referenced in the sym_strategy
resource later.
external_id
: Your AWS Account ID. Use theaccount_id
output frommodule.iam-connector.settings
settings
: Thesettings
output frommodule.iam-connector
resource "sym_integration" "iam_context" {
type = "permission_context"
name = "main-iam"
external_id = module.iam_connector.settings.account_id
settings = module.iam_connector.settings
}
Add AWS IAM Access Targets
Define sym_target
resources with type = aws_iam_group
for all of the AWS IAM Groups that you wish to manage access to.
iam_group
: A required setting that must be set to the name of the IAM Group being managed.
resource "sym_target" "cloudwatch_readonly" {
type = "aws_iam_group"
# A unique identifier for this target, we recommend using the group name.
name = aws_iam_group.cloudwatch_readonly.name
label = "Cloudwatch Read-only"
settings = {
# Your AWS IAM Group name
iam_group = aws_iam_group.cloudwatch_readonly.name
}
}
Add an AWS IAM Access Strategy
Define a sym_strategy
resource with type = aws_iam
and include the AWS IAM Permission Context and AWS IAM Access Targets you defined above.
resource "sym_strategy" "aws_iam" {
type = "aws_iam"
name = "main-aws-iam"
integration_id = sym_integration.iam_context.id
# This must be a list of `aws_iam_group` sym_targets that users can request to be escalated to
targets = [sym_target.cloudwatch_readonly.id]
}
Add the AWS IAM Strategy to your Flow
In your sym_flow
resource, reference your AWS IAM sym_strategy
as the strategy_id
in your Flow Parameters.
resource "sym_flow" "this" {
name = "iam_access"
label = "IAM Group Access"
# ... other Flow attributes not shown
params {
# The strategy this Flow will use to manage access.
strategy_id = sym_strategy.aws_iam.id
# ... other Flow parameters not shown
}
}
Full Example
You can find the complete code for this example in our AWS IAM Access Strategy Example.
Consider your session lengths
Sym access will provide your users with the keys to access escalated permissions, but AWS still governs the bounding sessions. This means:
- If your Sym access is shorter than your default session length, users who access an escalated role will retain that role until their session times out.
- Conversely, if your Sym access is longer than your default session length, users may be logged out and have to re-authenticate.
Updated 3 days ago