IAM user can create and assign service roles with higher permissions than his

0

Hey, We're creating an in-line policy in a permission-set in the AWS identity center.

I want to grant a user Admin permissions for all services except IAM. in IAM I would like to have the user creating roles and policies, as long as the IAM permissions are less permissive than its own.

For example: not enabling creating an IAM service role with Administrator access and attaching it to an EC2 instance.

this is the policies I have at the moment, though the user currently can create an Administrator role and assign to an EC2.

** The permission set is in the root - organization account. and the permission boundary policy is located in the sub-account IAM. Here are some of the things i've tried:

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"NotAction": [
				"iam:*",
				"organizations:*",
				"account:*"
			],
			"Resource": "*"
		},
		{
			"Effect": "Allow",
			"Action": [
				"iam:CreateRole",
				"iam:PutRolePolicy",
				"iam:CreatePolicy",
				"iam:AttachRolePolicy",
				"iam:PassRole",
				"iam:CreateServiceLinkedRole",
				"iam:CreateInstanceProfile"
			],
			"Resource": "*",
			"Condition": {
				"ForAllValues:StringLike": {
					"iam:PermissionsBoundary": [
						"arn:aws:iam::<SUBACCOUNT-NUMBER>:policy/AmazonEC2FullAccess"
					]
				}
			}
		},
		{
			"Effect": "Allow",
			"Action": [
				"iam:DeleteServiceLinkedRole",
				"iam:CreateOpenIDConnectProvider",
				"iam:UpdateOpenIDConnectProviderThumbprint",
				"iam:DetachRolePolicy",
				"organizations:DescribeOrganization",
				"account:ListRegions",
				"iam:UpdateAssumeRolePolicy",
				"iam:DeleteRole",
				"iam:DeleteRolePolicy",
				"iam:AddRoleToInstanceProfile",
				"iam:RemoveRoleFromInstanceProfile",
				"iam:DeleteInstanceProfile",
				"iam:GenerateCredentialReport",
				"iam:GenerateServiceLastAccessedDetails",
				"iam:Get*",
				"iam:List*",
				"iam:SimulateCustomPolicy",
				"iam:SimulatePrincipalPolicy"
			],
			"Resource": "*"
		}
	]
}

Or another option:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "NotAction": [
                "iam:*",
                "organizations:*",
                "account:*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:CreateServiceLinkedRole",
                "iam:DeleteServiceLinkedRole",
                "iam:CreateOpenIDConnectProvider",
                "iam:UpdateOpenIDConnectProviderThumbprint",
                "iam:DetachRolePolicy",
                "organizations:DescribeOrganization",
                "account:ListRegions",
                "iam:CreateRole",
                "iam:UpdateAssumeRolePolicy",
                "iam:AttachRolePolicy",
                "iam:DeleteRole",
                "iam:PutRolePolicy",
                "iam:DeleteRolePolicy",
                "iam:CreateInstanceProfile",
                "iam:AddRoleToInstanceProfile",
                "iam:RemoveRoleFromInstanceProfile",
                "iam:DeleteInstanceProfile",
                "iam:PassRole",
                "iam:GenerateCredentialReport",
                "iam:GenerateServiceLastAccessedDetails",
                "iam:Get*",
                "iam:List*",
                "iam:SimulateCustomPolicy",
                "iam:SimulatePrincipalPolicy"
            ],
            "Resource": "*",
            "Condition": {
                "StringNotLikeIfExists": {
                    "aws:RequestTag/Scope": "less-permissive"
                }
            }
        }
    ]
}
Natalie
gefragt vor 8 Monaten244 Aufrufe
1 Antwort
1

This is a perfect use case for permission boundary where you can define the upper limit of someone's permissions. https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html

AWS
LondonX
beantwortet vor 8 Monaten
profile pictureAWS
EXPERTE
überprüft vor 8 Monaten
  • Yes, permission boudaries is the way to go. This blog provides detailled explanations: https://aws.amazon.com/blogs/security/when-and-where-to-use-iam-permissions-boundaries/

  • Thanks for answering, this also doesn't seem to affect. thoughts ?

    {
    	"Version": "2012-10-17",
    	"Statement": [
    		{
    			"Effect": "Allow",
    			"NotAction": [
    				"iam:*",
    				"organizations:*",
    				"account:*"
    			],
    			"Resource": "*"
    		},
    		{
    			"Effect": "Allow",
    			"Action": [
    				"iam:CreateRole",
    				"iam:PutRolePolicy",
    				"iam:CreatePolicy",
    				"iam:AttachRolePolicy",
    				"iam:PassRole",
    				"iam:CreateServiceLinkedRole",
    				"iam:CreateInstanceProfile"
    			],
    			"Resource": "*",
    			"Condition": {
    				"ForAllValues:StringLike": {
    					"iam:PermissionsBoundary": [
    						"arn:aws:iam::<SUBACCOUNT-NUMBER>:policy/AmazonEC2FullAccess"
    					]
    				}
    			}
    		},
    		{
    			"Effect": "Allow",
    			"Action": [
    				"iam:DeleteServiceLinkedRole",
    				"iam:CreateOpenIDConnectProvider",
    				"iam:UpdateOpenIDConnectProviderThumbprint",
    				"iam:DetachRolePolicy",
    				"organizations:DescribeOrganization",
    				"account:ListRegions",
    				"iam:UpdateAssumeRolePolicy",
    				"iam:DeleteRole",
    				"iam:DeleteRolePolicy",
    				"iam:AddRoleToInstanceProfile",
    				"iam:RemoveRoleFromInstanceProfile",
    				"iam:DeleteInstanceProfile",
    				"iam:GenerateCredentialReport",
    				"iam:GenerateServiceLastAccessedDetails",
    				"iam:Get*",
    				"iam:List*",
    				"iam:SimulateCustomPolicy",
    				"iam:SimulatePrincipalPolicy"
    			],
    			"Resource": "*"
    		}
    	]
    }
    

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen