You are the security leader in a firm that has its workloads on AWS.
You have been asked to implement a way for developers to pass their roles to EC2
There are two conditions: Do not let the developers pass the Administrator role to EC2. The credentials for the role must last a maximum of 45 minutes. How could you achieve this?
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answer: C.
Option A is incorrect because there is no trust policy for EC2, therefore EC2 won't be able to assume any role.
More details: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html.
Option B is incorrect because there is no trust policy for EC2, therefore EC2 won't be able to assume any role.
Also the explicit deny in the policy will overwrite the allow policy.
Option C is CORRECT because with the trust policy the EC2 could assume a role.
In the policy there is an explicit deny to pass the AdminRole.
Therefore the Developer could pass any role except the Admin one.
More details: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html.
Option D is incorrect because the explicit deny in the policy will overwrite the allow policy.
More details: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html.
The correct answer to this question is A. Create a role named "EC2NotAdmin". Create a new policy and attach it to the EC2NotAdmin Role. This policy will have two statements. The first policy will have a statement to deny PassRole with the Admin Role as a resource. The second policy will allow a statement to pass the role to all resources.
Explanation: The scenario presented in the question requires the implementation of a solution that allows developers to pass their roles to EC2 instances, but only under specific conditions. In this case, the solution must comply with two requirements: do not allow the developers to pass the Administrator role to EC2, and make sure the credentials for the role last no more than 45 minutes.
To achieve this, the first step is to create a new IAM role named "EC2NotAdmin". Then, a new policy must be created and attached to this role. This policy should have two statements, which are:
Deny PassRole with the Admin Role as a resource: This statement ensures that developers cannot pass the Administrator role to EC2 instances. This is achieved by specifying the "NotResource" field in the statement, which allows the role to be passed to any resource except the Administrator role.
Allow a statement to pass the role to all resources: This statement grants the necessary permissions for developers to pass their roles to EC2 instances, but only for roles other than the Administrator role. Additionally, this statement sets the maximum duration for the credentials to 45 minutes, which meets the second requirement.
Therefore, the correct solution is A, which implements the required restrictions and permissions to allow developers to pass their roles to EC2 instances while complying with the specified conditions.