4

As per AWS documentation here - You cannot switch roles when you sign in as the AWS account root user.

If we go by AWS best practices i.e. not to use root user to perform actions, this restriction makes sense & supports why AWS does not allow role switch as root user. However, when using a Bucket policy, a root user in one account can access a Bucket in another account & AWS does not seem restricting that unlike roles (Technically, both are cross account actions using resource policies).

Why does this 'root user restriction' apply only for roles and not buckets - Any security reasons?

Marcin
  • 215,873
  • 14
  • 235
  • 294
Abhishek Palakkal Kaliyath
  • 567
  • 9
  • 23

2 Answers2

2

Access to services is normally granted via IAM permissions on IAM Users, IAM Groups and IAM Roles.

Some AWS services also permit the creation of policies that can grant access to aspects of that specific service. Examples are:

  • Amazon S3 bucket policies
  • Amazon SQS queue access policies
  • Amazon SNS access policies

These policies can be used to grant cross-account access, and also unauthenticated access such as public access to objects in Amazon S3 buckets and the ability to send unauthenticated messages to an Amazon SQS queue.

These policies are used to grant additional access. They do not involve "assuming" any additional roles.

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
  • Thanks John - why assuming an additional role is restricted to IAM users only i.e. "Why cant root user of one account temporarily assume a role in another account"? – Abhishek Palakkal Kaliyath May 16 '20 at 07:37
  • 4
    In the early days of AWS, there was only the root login. It could do everything. Over time, there was a desire to add fine-grained security, so IAM was created. The root account is a "left-over" from the old days and does not fit the IAM-model of security. Assuming a role is a function of IAM, and the root account is not an IAM entity. More recently, with AWS Organizations, accounts can be created with no root login (it uses an IAM admin role instead). This is just a bit of history, not an explanation of 'why'. – John Rotenstein May 16 '20 at 07:49
  • Thanks John - your comments calms me a bit :-) – Abhishek Palakkal Kaliyath May 16 '20 at 07:58
1

I think there is some misunderstanding on the use of roles and a bucket policy with external account's root as principle.

The roles are meant to be temporary assumed, for someone or something that normally does not have permissions for some action. This could be a user or service from same or different account.

However, when you use other account's root in a bucket policy principle, you are giving that account permanent (until manually revoked by you) trust to the bucket for all or some actions on it. You use root as the principle so that the owner of the other account can delegate access to its own users or roles. You fully trust the other account to manage the access to the bucket without your involvement.

Off course if you are not comfortable giving such trust to the other account, you can limit access to you bucket to a given IAM user or a role only. This will obviously limit the ability of the owner of the other account to delegate access to your bucket.

Marcin
  • 215,873
  • 14
  • 235
  • 294
  • Thanks Marcin, I understand what you explained but rephrasing my question - "Why cant root user of one account temporarily assume a role in another account" & why only IAM users are allowed? – Abhishek Palakkal Kaliyath May 16 '20 at 07:34
  • 1
    @AbhishekPalakkalKaliyath I think its by aws principles of not using root account. It's one less reason for using root account. If it was allowed, ppl would just end up testing role issues with root - it does not work as iam user, maybe it will work as root? Similar like in linux - a command does not work, so try to sudo it. Just my speculation. Maybe there are some technical reasons for that as well. – Marcin May 16 '20 at 07:41
  • Makes sense Marcin - If only AWS applied similar restriction on root user for S3 buckets as well & in fact that was what I was trying to clarify through my original question :-) – Abhishek Palakkal Kaliyath May 16 '20 at 07:44
  • 1
    @AbhishekPalakkalKaliyath I see what you mean. I have no answer for that. As a bucket owner you don't have to add such permissions. You can choose any IAM user or role from other account, or create your own role. It doesn't have to be root from other account. – Marcin May 16 '20 at 07:50