Only allow a role to pass itself


I am trying to write a permission boundary policy that allows developers to create personal IAM roles that are only allowed to pass themselves to EC2 instances.

I'm not seeing an obvious way to write a general purpose policy for this

I tried interpolating the role ARN in the resource field, which didn't work because the field only allows using policy variables in the final segment of the ARN.

    "Effect": "Allow",
    "Action": "iam:PassRole",
    "Resource": "${aws:PrincipalArn}"

There doesn't seem to be a way to either retrieve the role name for use in the resource field, or the target role ARN for use in a condition statement.


P.S. I realize I could create a set of policies that each hardcode the name of the role, but I am hoping to write just a single more flexible policy because I want to use it as a permissions boundary.

1 Respuesta

You may want to look at the following KB article and borrow some methods from it. - How can I use permissions boundaries to limit the scope of IAM users and roles, and also prevent privilege escalation?

profile pictureAWS
respondido hace 2 años
profile pictureAWS
revisado hace 2 años
  • Thank you, but this article does not answer my specific question.

  • And yet it is a the correct answer. In your question you say "I am hoping to write just a single more flexible policy" but you cannot (as you have discovered) put a variable name in the condition statement.

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas