Cloud Provider IAM Integration

Cloud Provider IAM Integration

Cloud provider Identity and Access Management (IAM) systems control what actions IaC tools can perform. AWS IAM, Azure RBAC, and Google Cloud IAM each provide sophisticated permission models that must be carefully configured for IaC security. These systems enable precise control over resource creation, modification, and deletion permissions.

Service accounts and managed identities provide secure authentication for IaC tools without exposing long-lived credentials. These identities should follow least-privilege principles, possessing only permissions required for specific IaC operations. Regular permission audits ensure service accounts don't accumulate unnecessary privileges over time.

# Example AWS IAM policies for IaC service accounts
# Development environment IaC role - permissive within boundaries
data "aws_iam_policy_document" "dev_iac_policy" {
  statement {
    sid = "EC2Management"
    actions = [
      "ec2:*"
    ]
    resources = ["*"]
    condition {
      test     = "StringEquals"
      variable = "aws:RequestedRegion"
      values   = ["us-east-1"]
    }
    condition {
      test     = "StringLike"
      variable = "aws:userid"
      values   = ["AIDAI*:dev-*"]
    }
  }
  
  statement {
    sid = "S3Management"
    actions = [
      "s3:CreateBucket",
      "s3:DeleteBucket",
      "s3:PutBucketPolicy",
      "s3:PutBucketEncryption"
    ]
    resources = ["arn:aws:s3:::dev-*"]
  }
  
  statement {
    sid = "TagEnforcement"
    effect = "Deny"
    actions = ["*"]
    resources = ["*"]
    condition {
      test     = "StringNotEquals"
      variable = "aws:RequestTag/Environment"
      values   = ["development"]
    }
  }
}

# Production environment IaC role - highly restricted
data "aws_iam_policy_document" "prod_iac_policy" {
  statement {
    sid = "ReadOnlyAccess"
    actions = [
      "ec2:Describe*",
      "s3:Get*",
      "s3:List*",
      "rds:Describe*"
    ]
    resources = ["*"]
  }
  
  statement {
    sid = "LimitedUpdateAccess"
    actions = [
      "ec2:ModifyInstanceAttribute",
      "ec2:ModifyVolumeAttribute",
      "autoscaling:UpdateAutoScalingGroup"
    ]
    resources = ["*"]
    condition {
      test     = "StringEquals"
      variable = "aws:RequestTag/ManagedBy"
      values   = ["Terraform"]
    }
    condition {
      test     = "StringEquals"
      variable = "aws:RequestTag/Environment"
      values   = ["production"]
    }
  }
  
  statement {
    sid = "RequireMFA"
    effect = "Deny"
    actions = ["*"]
    resources = ["*"]
    condition {
      test     = "BoolIfExists"
      variable = "aws:MultiFactorAuthPresent"
      values   = ["false"]
    }
  }
}

# Cross-account assume role policy
resource "aws_iam_role" "cross_account_iac" {
  name = "CrossAccountIaCRole"
  
  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = "sts:AssumeRole"
        Effect = "Allow"
        Principal = {
          AWS = "arn:aws:iam::123456789012:role/IaCExecutionRole"
        }
        Condition = {
          StringEquals = {
            "sts:ExternalId" = var.external_id
          }
          IpAddress = {
            "aws:SourceIp" = var.allowed_ips
          }
        }
      }
    ]
  })
}

Permission boundaries provide additional security layers by defining maximum permissions that can be granted. Even if IaC mistakenly creates overly permissive roles, permission boundaries prevent those roles from exceeding defined limits. This defense-in-depth approach prevents permission escalation through IaC misconfigurations.