Restricting creating Permission Sets without attaching the Permission Boundary for the same.

0

have a use case from a bigger enterprise, they are currently adopting AWS SSO with AzureAD integration. In the setup, currently account users or roles can create permissionsets with administrator access without adding Permission boundary.

The Permission Boundary policy is created for the AWS account. While manually adding the permission sets from the console and creating a new permission set, it works smoothly. Creating the permission sets without attaching permission boundary works as well. But, to be able to restrict creating the permissionsets does not seem to work by adding a Deny policy on the IAM role/user

{
            "Sid": "DenyCreatePermissionSetWithoutBoundary",
            "Effect": "Deny",
            "Action": [
                "sso:AttachManagedPolicyToPermissionSet",
                "sso:CreateAccountAssignment",
                "sso:CreatePermissionSet",
                "sso:DeleteAccountAssignment",
                "sso:DeleteInlinePolicyFromPermissionSet",
                "sso:DeletePermissionSet",
                "sso:DetachManagedPolicyFromPermissionSet",
                "sso:ProvisionPermissionSet",
                "sso:PutInlinePolicyToPermissionSet",
                "sso:UpdatePermissionSet"
            ],
            "Resource": "*",
            "Condition": {
                "StringNotEquals": {
                    "iam:PermissionsBoundary": "ARN of the PB"
                }
            }
        }

It seems the condition block is not getting evaluated for the above policy. Its either restricting the permission set overall or not restricting at all.

Is there any way to restrict creating the permission sets without adding Permission boundary?

posta un anno fa190 visualizzazioni
2 Risposte
0

I could be wrong but, if you write a permission boundary with a DENY statement to block the one thing you don’t want that user/role to do, you would still need an ALLOW * statement or they can’t do anything.

profile picture
ESPERTO
con risposta un anno fa
0

The actions for

sso:CreatePermissionSet 

and

sso:CreateAccountAssignmentare

separate actions and don't have a permission boundary property since the Permission Boundary attachment is a separate action:

PutPermissionBoundaryToPermissionSet

i have checked the IAM policies and its current landscape. iam:PermissionsBoundary does not impact anything on the overall effects and actions in cases sso: related activities

con risposta un anno fa

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande