Only allow a role to pass itself


I am trying to write a permission boundary policy that allows developers to create personal IAM roles that are only allowed to pass themselves to EC2 instances.

I'm not seeing an obvious way to write a general purpose policy for this

I tried interpolating the role ARN in the resource field, which didn't work because the field only allows using policy variables in the final segment of the ARN.

    "Effect": "Allow",
    "Action": "iam:PassRole",
    "Resource": "${aws:PrincipalArn}"

There doesn't seem to be a way to either retrieve the role name for use in the resource field, or the target role ARN for use in a condition statement.


P.S. I realize I could create a set of policies that each hardcode the name of the role, but I am hoping to write just a single more flexible policy because I want to use it as a permissions boundary.

1개 답변

You may want to look at the following KB article and borrow some methods from it. - How can I use permissions boundaries to limit the scope of IAM users and roles, and also prevent privilege escalation?

profile pictureAWS
답변함 2년 전
profile pictureAWS
검토됨 2년 전
  • Thank you, but this article does not answer my specific question.

  • And yet it is a the correct answer. In your question you say "I am hoping to write just a single more flexible policy" but you cannot (as you have discovered) put a variable name in the condition statement.

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠