topic Re: Instance Profile Access Controls in Administration & Architecture

Instance Profile Access Controls

100804 — Wed, 21 Feb 2024 23:29:37 GMT

I manage instance profiles assigned to specific user groups. For example, instance profile A provides access solely to group A. Currently, any user within group A has the ability to update the permissions of a cluster using instance profile A, which allows a user from outside group A to utilize the cluster and access instance profile A, contrary to the intended access restrictions on instance profile A.

Are there strategies to mitigate this risk and enhance security?

Re: Instance Profile Access Controls

100804 — Thu, 22 Feb 2024 18:47:32 GMT

Hi @Retired_mod,

Thank you for your guidance. I am following the strategies outlined in steps 1 and 2, and I remain concerned about a specific scenario.

Consider instance profile A, which is designed to grant access exclusively to group A. If user A, a member of group A, creates a cluster using instance profile A, they can modify the cluster's permissions, granting unauthorized access to user B, who is not part of group A.

I'd appreciate any additional insights or strategies to specifically address this risk. Thank you!