DEV Community

Mitchell Edom
Mitchell Edom

Posted on • Edited on

Simplify AWS IAM Role Trust Policies in Organizations

Background

As a company scales out the number of AWS accounts used for different workloads, they may require IAM roles which are able to be assumed by any other account within the organization to perform some action, if you are trusting accounts by adding each account principal to the trust policy you may soon find your self hitting the 2048 character limit.

Solution

Use conditions

When making use of conditional filters and the inherent trust that comes from being within an organization, you can dramatically reduce the size and complexity of policies.

From listing all explicit account IDs

  OrgWideRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: OrgWideRole
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              AWS:
                - '012345678901'
                - '123456789012'
                - '234567890123'
                - '345678901234'
                - '456789012345'
                - '567890123456'
                - '*150 or so more account IDs*'
            Action: sts:AssumeRole

To trusting the organization ID

  OrgWideRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: OrgWideRole
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              AWS:
                - '*'
            Action: sts:AssumeRole
            Condition:
              StringEquals:
                aws:PrincipalOrgID : o-12345abcd

You can change the behavior to limit to accounts associated with a specific OU by using conditional key aws:PrincipalOrgPaths

e.g.

  Condition:
    ForAnyValue:StringEquals:
      aws:PrincipalOrgPaths:
      - o-12345abcd/r-eg123/ou-example123/

Further extension of this is possible by using StringLike operator to trust all children of the OU

e.g.

  Condition:
    ForAnyValue:StringLike:
      aws:PrincipalOrgPaths: 
        - o-12345abcd/r-eg123/ou-example123*

There are more permutations of this possible to fit your needs, though implementing trust via organization membership or OU membership has significantly reduced our trust policy sizes while increasing scalability of the platform.

Useful References

AWS Global Condition Context Keys
IAM and STS Limits

Top comments (0)