Is there any way to block roles outside the AWS organization from assuming roles inside the org using a service control policy (SCP)?

Question

The goal is to implement a control similar to an allowlist where only allowed external accounts can assume roles inside the org.

Here’s what I’ve tried: 
- tried restricting the sts:assumerole action in an SCP, but this only works for roles inside the org. From my understanding, since the assumerole is started in the external account, the restriction doesn’t work 
- I also looked into restricting the iam:UpdateAssumerolePolicy action in an SCP to see if a restriction for the action can be implemented where users can only specify certain AWS principals in a trust policy, but there is no condition like this for this action

Is using an SCP the right way to do this? Can this be done with an SCP?

I understand IAM access analyzer can be used to alert on when external roles assume roles inside the organization, but that’s more of a reactive control, and we would like to implement a more proactive control where we specify exactly what external accounts are able to assume roles inside the org.

Answer

Try using a Role Trust policy (basically a resource based policy) as below:

{ 
  "Effect": "Deny",
  "Principal": {
    "AWS": "*"
  },
  "Action": "sts:AssumeRole",
  "Condition": {
    "StringNotEquals": {
      "aws:PrincipalOrgId": "${aws:ResourceOrgId}"
    },
    "BoolIfExists": {
      "aws:PrincipalIsAWSService": "false"
    } 
} 
}

And use the same for all the roles as required.

Answer

This can not be done with a SCP. You have to allow this via the Trust Policy attached the role. Something like this:

```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "123456789012"
            },
            "Action": "sts:AssumeRole",
            "Condition": {"StringEquals": {"sts:ExternalId": "12345"}}
        }
    ]
}
```
This example also uses the [ExternalId](https://aws.amazon.com/blogs/security/how-to-use-external-id-when-granting-access-to-your-aws-resources/).

Is there any way to block roles outside the AWS organization from assuming roles inside the org using a service control policy (SCP)?

관련 콘텐츠