Being an AWS customer, if you are using multiple Amazon Elastic Container Service (Amazon ECS) services/tasks to attain better isolation, you frequently have the challenge of how exactly to manage usage of these containers. In such instances, using tags can let you categorize these ongoing services in various ways, such as for example by environment or owner.

This website post demonstrates how tags allow conditional usage of Amazon ECS resources. You should use attribute-based access control (ABAC) policies to grant access rights to users by using policies that combine attributes together. ABAC are a good idea in rapidly-growing environments, where policy management may become cumbersome. This website post uses ECS resource tags (owner tag and environment tag) because the attributes which are used to regulate access in the policies.

 

Amazon ECS resources have many attributes, such as for example tags, which may be used to regulate permissions. It is possible to attach tags to AWS Identity and Access Management (IAM) principals, and create the single ABAC policy, or perhaps a small group of policies for the IAM principals. These ABAC policies could be made to allow operations once the principal tag (a tag that exists on an individual or role making the decision) matches the resource tag. They could be used to simplify permission management at scale. An individual Amazon ECS policy can enforce permissions across a variety of applications, and never have to update the policy every time you create new Amazon ECS resources.

A step-by-step is supplied by this post process of creating ABAC policies for controlling usage of Amazon ECS containers. Because the united team adds ECS resources to its projects, permissions are applied in line with the owner tag and the surroundings tag automatically. As a total result, no policy update is necessary for every new resource. By using this approach can save time and assist in improving security, because it depends on granular permissions rules.

Condition key mappings

It’s vital that you remember that each IAM permission in Amazon ECS supports various kinds of tagging condition keys. The next table maps each condition key to its ECS actions.

Condition key	Description	ECS actions
aws:RequestTag/$TagKey	Set this tag value to require a specific tag be utilized (or not used) when coming up with an API request to generate or modify a resource which allows tags.	ecs:CreateCluster, ecs:TagResource, ecs:CreateCapacityProvider
aws:ResourceTag/$TagKey	Set this tag value to permit or deny user actions on resources with specific tags.	ecs:PutAttributes, ecs:StopTask, ecs:DeleteCluster, ecs:DeleteService, ecs:CreateTaskSet, ecs:DeleteAttributes, ecs:DeleteTaskSet, ecs:DeregisterContainerInstance
aws:RequestTag/$TagKey and aws:ResourceTag/$TagKey	Supports both RequestTag and ResourceTag	ecs:CreateService, ecs:RunTask, ecs:StartTask, ecs:RegisterContainerInstance

For an in depth guide of Amazon ECS actions and the resource condition and types keys they support, see Actions, resources, and condition keys for Amazon Elastic Container Service.

Tutorial overview

The next tutorial offers you a step-by-step process to generate and test an Amazon ECS policy which allows IAM roles with principal tags to gain access to resources with matching tags. Whenever a request is made by way of a principal to AWS, their permissions are granted predicated on if the resource and principal tags match. This plan allows individuals to see or edit only the ECS resources necessary for their jobs.

Scenario

Example Corp. has multiple Amazon ECS containers designed for different applications. Each one of these containers are manufactured by different owners within the ongoing company. The permissions for every of the Amazon ECS resources should be restricted in line with the owner of the container, and in line with the environment where in fact the action is conducted also.

Assume that you’re a lead developer as of this ongoing company, and you’re a skilled IAM administrator. You’re acquainted with managing and creating IAM users, roles, and policies. You intend to make sure that the development engineering associates can access only the containers they own. You will need a strategy which will scale as your organization grows also.

Because of this scenario, you decide to use AWS resource tags and IAM role principal tags to implement an ABAC technique for Amazon ECS resources. The problem key mappings table shows which tagging condition keys you should use in a policy for every Amazon ECS action and resources. It is possible to define the tags in the role you created. Because of this scenario, you &lt define two tags;span>Owner and Environment. These tags restrict permissions in the role in line with the tags you defined.

Prerequisites

To execute the steps in this tutorial, you need to already have the next:

• An IAM role or user with sufficient privileges for services like ECS and IAM. Following security practices&lt best;/a> the role must have a minimum group of grant and permissions additional permissions as necessary. You can include the AWS managed policies IAMFullAccess and AmazonECS_FullAccess to generate the IAM role to supply permissions for creating ECS and IAM resources.
• An AWS account you could sign in to being an IAM user or role.
• Experience editing and creating IAM users, roles, and policies in the AWS Management Console. To find out more, see Tutorial to generate IAM resources.

Create an ABAC policy for Amazon ECS resources

Following the prerequisites are completed by you for the tutorial, you need to define which Amazon ECS privileges and access controls you need set up for the users, and configure the tags necessary for creating the ABAC policies. This tutorial targets providing step-by-step instructions for creating test users, defining the ABAC policies for the Amazon ECS resources, developing a role, and defining tags for the implementation.

To generate the ABAC policy

An ABAC is established by you policy that defines permissions predicated on attributes. In AWS, these attributes are called tags.

The sample ABAC policy that follows provides ECS permissions to users once the principal’s tag matches the resource tag.

Sample ABAC policy for ECS resources

The sample ECS ABAC policy that follows allows an individual to execute action on the ECS resources, but only once those resources are tagged with exactly the same key-pairs because the principal.

1. Download the sample ECS policy. This policy allows principals to generate, read, edit, and delete resources, but only once those resources are tagged with exactly the same key-value pairs because the principal.
2. Utilize the downloaded ECS policy to generate the ECS ABAC policy, and name your brand-new policy ECSABAC policy. To find out more, see Creating IAM policies.

This sample policy provides permission to each ECS action in line with the condition key that action supports. See to the problem key mappings table for a mapping of the ECS actions and the problem key they support.

What does this policy do?

• The ECSCreateCluster statement allows users to generate cluster, tag and create resources. These ECS actions only support the RequestTag condition key. This problem block returns true if every tag passed (tags: owner and environment) in the request is roofed in the specified list. That is done utilizing the StringEquals condition operator. If an incorrect tag key apart from owner or environment tag is passed, or incorrect value for the tags are passed, the problem returns &lt then;span>false. The ECS actions within these statements don’t have a specific dependence on a resource type.
• The ECSDeletion, ECSUpdate, and ECSDescribe statements allow users to update, delete or list/describe ECS resources. The ECS actions under these statements only support the ResourceTag condition key. Statements return true if the specified tag keys can be found on the ECS resource and their values match the principal’s tags. These statements return false for mismatched tags (in this policy, the only real acceptable tags are owner and environment), or for an incorrect value for the surroundings and owner tag passed to the ECS resources. They return &lt also;span>false for just about any ECS action that will not support resource tagging.
• The ECSCreateService, ECSTaskControl, and ECSRegistration statements contain ECS actions that allow users to make a ongoing service, start or run register and tasks container instances in ECS. The ECS actions within both &lt is supported by these statements;strong>Resource and request tag condition keys.

Create IAM roles

Create the next IAM roles and attach the ECSABAC policy you created in the last procedure. It is possible to create the roles and add tags in their mind utilizing the AWS console, through the role creation flow, as shown in the next steps.

To generate IAM roles

1. Register to the AWS Management Console and demand IAM console.
2. In the left navigation pane, select Roles, and select &lt then;strong>Create Role.
3. Pick the Another AWS account role type.
4. For Account ID, enter the AWS account ID mentioned in the prerequisites to that you want to grant usage of your resources.
5. Choose Next: Permissions.
6. IAM carries a set of the AWS managed and customer managed policies in your account. Choose the ECSABAC policy you produced from the dropdown menu to utilize for the permissions policy previously. Alternatively, it is possible to choose Create policy to open a fresh browser tab and develop a new policy, as shown in Figure 1.

   

   Figure 1. Attach the ECS ABAC policy to the role

7. Choose Next: Tags.
8. Add metadata to the role by attaching tags as key-value pairs. Add the next tags to the role: for Key owner, enter Value mock_owner; and for Key environment, enter development, as shown in Figure 2.

   

   Figure 2. Define the tags in the IAM role

9. Choose Next: Review.
10. For Role name, enter a genuine name for the role. Role names should be unique inside your AWS account.
11. Review the role and choose Create role.

Test the solution

The next sections present some negative and positive test cases that show how tags can offer fine-grained permission to users through ABAC policies.

Prerequisites for the negative and positive testing

Before you perform the positive and negative tests, you need to first do these steps in the AWS Management Console:

1. Follow the procedures above for creating IAM role and the ABAC policy.
2. Switch the role from the role assumed in the prerequisites to the role you created in To generate IAM Roles above, following steps in the documentation Switching to a role.

Perform negative testing

For the negative testing, three test cases are presented here that show the way the ABAC policies prevent successful creation of the ECS resources if the owner or environment tags are missing, or if an incorrect tag can be used for the creation of the ECS resource.

Negative test case 1: Create cluster minus the required tags

In this test case, you check if an ECS cluster is established without the tags successfully. Create an Amazon ECS cluster without the tags (quite simply, without adding the owner and environment tag).

To make a cluster minus the required tags

1. Register to the AWS Management Console and demand IAM console.
2. From the navigation bar, choose the Region to utilize.
3. In the navigation pane, choose Clusters.
4. On the Clusters page, choose Create Cluster.
5. For Select cluster compatibility, choose Networking only, choose &lt then;strong>Next Step.
6. On the Configure cluster page, enter a cluster name. For Provisioning Model, choose On-Demand Instance, as shown in Figure 3.

   

   Figure 3. Develop a cluster

7. In the Networking section, configure the VPC for the cluster.
8. Don’t add any tags in the Tags section, as shown in Figure 4.

   

   Figure 4. No tags put into the cluster

9. Choose Create.

Expected consequence of negative test case 1

As the owner and the environment tags are absent, the creation is avoided by the ABAC policy of the cluster and throws one, as shown in Figure 5.

Negative test case 2: Create cluster with a missing tag

In this test case, you check whether an ECS cluster is established missing an individual tag successfully. A cluster is established by you like the one created in Negative test case 1. However, in this test case, in the Tags section, you enter only the owner tag. The environment tag is missing, as shown in Figure 6.

To make a cluster with a missing tag

1. Repeat steps 1-7 from the Negative test case 1 procedure.
2. In the Tags section, add the owner tag and enter its value as mock_user.

   

   Figure 6. Develop a cluster with the surroundings tag missing

Expected consequence of negative test case 2

The creation is avoided by the ABAC policy of the cluster, because of the missing environment tag in the cluster. This total results within an error, as shown in Figure 7.

Negative test case 3: Create cluster with incorrect tag values

In this test case, you check whether an ECS cluster is established with incorrect tag-value pairs successfully. Create a cluster like the one in Negative test case 1. However, in this test case, in the Tags section, enter incorrect values for the owner and the environment tag keys, as shown in Figure 8.

To make a cluster with incorrect tag values

1. Repeat steps 1-7 from the Negative test case 1 procedure.
2. In the Tags section, add the owner tag and enter the worthiness as test_user; add the environment tag and enter the worthiness as production.

   

   Figure 8. Develop a cluster with the wrong values for the tags

Expected consequence of negative test case 3

The ABAC policy prevents the creation of the cluster, because of incorrect values for the owner and environment tags in the cluster. This results within an error, as shown in Figure 9.

Perform positive testing

For the positive testing, two test cases are given here that show the way the ABAC policies allow successful creation of ECS resources, such as for example ECS ECS and clusters tasks, if the right tags with correct values are given as input for the ECS resources.

Positive test case 1: Create cluster with all the current correct tag-value pairs

This test case checks whether an ECS cluster is successfully made up of the right tag-value pairs once you develop a cluster with both owner and environment tag that matches earlier the ABAC policy you created.

To make a cluster with all the current correct tag-value pairs

1. Repeat steps 1-7 from the Negative test case 1 procedure.
2. In the Tags section, add the dog owner tag and enter the worthiness as mock_user; add the environment tag and enter the worthiness as development, as shown in Figure 10.

   

   Figure 10. Add correct tags to the cluster

Expected consequence of positive test case 1

Because both owner and the environment tags correctly were input, the ABAC policy allows the successful creation of the cluster without throwing one, as shown in Figure 11.

Positive test case 2: Create standalone task with all the current correct tag-value pairs

Deploying the application as a standalone task could be ideal using situations. For instance, suppose you’re developing a credit card applicatoin, but you aren’t prepared to deploy it with the ongoing service scheduler. Your application is really a one-time or periodic batch job maybe, and it doesn’t seem sensible to help keep running it, or even to restart when it finishes.

Because of this test case, a standalone is run by you task with the right owner and environment tags that match the ABAC policy.

To make a standalone task with all the current correct tag-value pairs

1. To perform a standalone task, see Run a standalone task in the Amazon ECS Developer Guide. Figure 12 shows the start of the Run Task process.

   

   Figure 12. Run a standalone task

2. In the Task tagging configuration section, under Tags, add the owner tag and enter the worthiness as mock_user; add the environment tag and enter the worthiness as development, as shown in Figure 13.

   

   Figure 13. Creation of the duty with the right tag

Expected consequence of positive test case 2

As you applied the right tags in the creation phase, the duty successfully is created, as shown in Figure 14.

Cleanup

In order to avoid incurring future charges, after completing testing, delete any resources you designed for this solution which are longer needed no. Start to see the following links for step-by-step instructions for deleting the resources you created in this website post.

1. Deregistering an ECS Task Definition
2. Deleting ECS Clusters
3. Deleting IAM Policies
4. Deleting IAM Roles and Instance Profiles

Conclusion

This post demonstrates the fundamentals of how exactly to use ABAC policies to supply fine-grained permissions to users predicated on attributes such as for example tags. You learned how exactly to create ABAC policies to restrict permissions to users by associating tags with each ECS resource you create. You should use tags to control and secure usage of ECS resources, including ECS clusters, ECS tasks, ECS task definitions, and ECS services.

To find out more concerning the ECS resources that support tagging, start to see the Amazon Elastic Container Service Guide.

When you have feedback about this post, submit comments in the Comments section below. When you have questions about this post, take up a new thread on AWS Secrets Manager re:Post or contact AWS Support.

Want more AWS Security news? Follow us on Twitter.