Delegating Admin Credentials using IAM Roles and Cloudwatch Alerts

Posted on Sat 12 December 2015 in aws

It's hard to strike the right balance with admin rights--either the rights are too strict and people can't get work done or they're too lenient and you have security issues.

As a compromise, AWS provides the AssumeRole feature which lets admins temporarily escalate their role to perform a task.

It's important when setting this up that you alert the team when it's used. Here we'll talk about how to set up the roles, give teams access to the roles and create an alert system when the roles are assumed.

Create The Temporary Admin Role

Use the IAM console to create the TemporaryAdminRole role. This one has full admin rights. It's used only in emergencies.

  "Version": "2012-10-17",
  "Statement": [
      "Effect": "Allow",
      "Action": "*",
      "Resource": "*"

Create a Group who can Assume the Role

Create a new group TemporaryAdmins and give it the rights to assume the role above. Then add yourself (and anyone else) to the group.

    "Version": "2012-10-17",
    "Statement": {
        "Effect": "Allow",
        "Action": "sts:AssumeRole",
        "Resource": "arn:aws:iam::XXXXXXX:role/TemporaryAdminRole"

Test out the new Role

Follow the AWS instructions for assuming roles

Create An Alert to Trigger Whenever the Role Is Assumed

Here's the fun part--using CloudTrail & CloudWatch logs, we'll create an alert whenever the AssumeRole event occurs.

Before getting started, make sure you've activated Cloudtrail in all of your regions, and activate Cloudtrail to Cloudwatch Logs.

Creating a Metric Filter

In CloudWatch Logs, click on the "filters" and then add a filter SitchRoleEvent with this query

{$.eventName = "SwitchRole"}

At this point you can create an Alarm as usual whenever the metric SUM >= 1 within a 5min interval.

Test it out by assuming the role as we did above--you should get a typical Cloudwatch alert notification whenever the SwitchRoleEvent occurrs.