iam role trust policy behavior
Hi
aws docs mentioned that iam role trust policy should be treated as a resource based policy but in fact it doesn't .
regularly iam user could get a permission from his identity policy (resource level permission) lets say s3:getobject then he will be allowed to do that action unless an explicit deny exist regardless of the default implicit deny on bucket policy .
so in case of iam role trust policy , lets say : role "A" trust user "B" in the same account if another user "C" in the same account had "sts:assumerole" permission in his identity based policy as a resource level permission then he should be able to assume the role even if user "c" is not in the trust policy which does not happen .
the current behavior is more like an explicit deny for any principal not specified in the trust policy .
it is not the default/documented behavior of the resource based policy which should be an implicit deny .
any thoughts ?
thanks
- 최신
- 최다 투표
- 가장 많은 댓글
The documentation has been update to account for this exception.
Role trust policies and KMS key policies are exceptions to this logic, because they must explicitly allow access for principals.
A user or resource can only assume an identity given the user/resource has "sts:assumerole" permissions for Role A, and role A trusts the user or the entire account that includes users B and C. However, User C would not be able to assume role A unless trusted by Role A even with "sts:assumerole" as a result of least privilege. Principles are not allowed to assume a role unless they are explicitly allowed to in the role’s trust policy. This is because there is an implicit deny by default. An explicit deny would require a Deny statement which would override any allow. This is done to prevent user C from assuming a role with more permissions than they should be allowed.
Attaching the following documentation regarding role trust policies here. https://aws.amazon.com/blogs/security/how-to-use-trust-policies-with-iam-roles/
관련 콘텐츠
- 질문됨 2달 전
Actually I read that before but didn't notice , Thanks Alot