Hey, We're creating an in-line policy in a permission-set in the AWS identity center.
I want to grant a user Admin permissions for all services except IAM. in IAM I would like to have the user creating roles and policies, as long as the IAM permissions are less permissive than its own.
For example: not enabling creating an IAM service role with Administrator access and attaching it to an EC2 instance.
this is the policies I have at the moment, though the user currently can create an Administrator role and assign to an EC2.
** The permission set is in the root - organization account. and the permission boundary policy is located in the sub-account IAM. Here are some of the things i've tried:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"NotAction": [
"iam:*",
"organizations:*",
"account:*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:CreateRole",
"iam:PutRolePolicy",
"iam:CreatePolicy",
"iam:AttachRolePolicy",
"iam:PassRole",
"iam:CreateServiceLinkedRole",
"iam:CreateInstanceProfile"
],
"Resource": "*",
"Condition": {
"ForAllValues:StringLike": {
"iam:PermissionsBoundary": [
"arn:aws:iam::<SUBACCOUNT-NUMBER>:policy/AmazonEC2FullAccess"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"iam:DeleteServiceLinkedRole",
"iam:CreateOpenIDConnectProvider",
"iam:UpdateOpenIDConnectProviderThumbprint",
"iam:DetachRolePolicy",
"organizations:DescribeOrganization",
"account:ListRegions",
"iam:UpdateAssumeRolePolicy",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:AddRoleToInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:GenerateCredentialReport",
"iam:GenerateServiceLastAccessedDetails",
"iam:Get*",
"iam:List*",
"iam:SimulateCustomPolicy",
"iam:SimulatePrincipalPolicy"
],
"Resource": "*"
}
]
}
Or another option:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"NotAction": [
"iam:*",
"organizations:*",
"account:*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole",
"iam:DeleteServiceLinkedRole",
"iam:CreateOpenIDConnectProvider",
"iam:UpdateOpenIDConnectProviderThumbprint",
"iam:DetachRolePolicy",
"organizations:DescribeOrganization",
"account:ListRegions",
"iam:CreateRole",
"iam:UpdateAssumeRolePolicy",
"iam:AttachRolePolicy",
"iam:DeleteRole",
"iam:PutRolePolicy",
"iam:DeleteRolePolicy",
"iam:CreateInstanceProfile",
"iam:AddRoleToInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:PassRole",
"iam:GenerateCredentialReport",
"iam:GenerateServiceLastAccessedDetails",
"iam:Get*",
"iam:List*",
"iam:SimulateCustomPolicy",
"iam:SimulatePrincipalPolicy"
],
"Resource": "*",
"Condition": {
"StringNotLikeIfExists": {
"aws:RequestTag/Scope": "less-permissive"
}
}
}
]
}
Yes, permission boudaries is the way to go. This blog provides detailled explanations: https://aws.amazon.com/blogs/security/when-and-where-to-use-iam-permissions-boundaries/
Thanks for answering, this also doesn't seem to affect. thoughts ?