AWS Hub and Spoke Roles
IAMbic uses a Hub-and-Spoke model to manage AWS resources. If you use AWS Organizations with IAMbic, your AWS Organizations management account will serve as the Hub account. However, if you use individual AWS accounts, you need to specify the account that will serve as the Hub account. In this case, IAMbic will create an IambicHubRole on the Hub account and an IambicSpokeRole role on all of your AWS accounts. IambicSpokeRole will be assumed by the IambicHubRole to perform actions on each respective account.
Hub Role Permissions
The IambicHubRole should have permission to assume any IambicSpokeRole
in the environment, and to list all accounts in AWS Organizations.
See the IambicHubRole Cloudformation template for more details.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"organizations:ListAccounts",
"organizations:ListTagsForResource"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"sts:AssumeRole",
"sts:TagSession",
"sts:SetSourceIdentity"
],
"Resource": "arn:aws:iam::*:role/IambicSpokeRole*"
}
]
}
Spoke Role Permissions
Each AWS account should have an IAMbicSpokeRole. The IAMbic setup wizard will guide you in creating a Cloudformation StackSet to automatically configure each account with this role.
See the IambicSpokeRole Cloudformation template for more details.
The IAMbicSpokeRole should have the following policy attached: arn:aws:iam::aws:policy/ReadOnlyAccess,
and the following permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:Describe*",
"identitystore:*",
"organizations:describe*",
"organizations:list*",
"iam:*",
"sso:*"
],
"Resource": [
"*"
]
},
{
"Action": [
"secretsmanager:CreateSecret",
"secretsmanager:GetSecretValue",
"secretsmanager:describesecret",
"secretsmanager:listsecrets",
"secretsmanager:listsecretversionids",
"secretsmanager:PutSecretValue"
],
"Effect": "Allow",
"Resource": "arn:aws:secretsmanager:*:*:secret:iambic-config-secrets-*"
},
{
"Action": [
"sqs:ReceiveMessage",
"sqs:SendMessage",
"sqs:DeleteMessage",
"sqs:GetQueueUrl",
"sqs:GetQueueAttributes"
],
"Effect": "Allow",
"Resource": "arn:aws:sqs:*:*:IAMbicChangeDetectionQueue"
}
]
}
Read-Only Spoke Role permissions
If your initial evaluation requires a much more restrictive IAMbicSpokeRole, we do provide a CloudFormation
StackSet template to create IAMbicSpokeRoleReadOnly. The read only postfix only uses list, read capability of
iam and sso (aka IdentityCenter) services. However, in order for iambic setup to work, it keeps the
write ability to SecretManager resources prefixed with iambic-config-secrets-. This is necessary to keeps
track of other secrets used for other plugins. In addition, the write access to SQS is limited to queue
named IAMbicChangeDetectionQueue to monitor IAM resources changes.
The effect of using a read-only Spoke Role would be IAMbic can only handle one directional import from AWS.
You can either use iambic setup to instruct the initial setup to use a more restricted IAMbicSpokeRole or
directly change the IAMbic configuration to specify the arn of the spoke role.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"identitystore:Describe*",
"identitystore:Get*",
"identitystore:List*",
"organizations:describe*",
"organizations:list*",
"iam:Get*",
"iam:List*",
"sso:Describe*",
"sso:Get*",
"sso:List*",
"sso:Search*"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Action": [
"secretsmanager:CreateSecret",
"secretsmanager:GetSecretValue",
"secretsmanager:describesecret",
"secretsmanager:listsecrets",
"secretsmanager:listsecretversionids",
"secretsmanager:PutSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:*:*:secret:iambic-config-secrets-*"
],
"Effect": "Allow"
},
{
"Action": [
"sqs:ReceiveMessage",
"sqs:SendMessage",
"sqs:DeleteMessage",
"sqs:GetQueueUrl",
"sqs:GetQueueAttributes"
],
"Effect": "Allow",
"Resource": "arn:aws:sqs:*:*:IAMbicChangeDetectionQueue"
}
]
}