Ao usar o AWS re:Post, você concorda com os AWS re:Post Termos de uso
AWS re:Postre:Post

iam role trust policy behavior

0

Hi

aws docs mentioned that iam role trust policy should be treated as a resource based policy but in fact it doesn't .

regularly iam user could get a permission from his identity policy (resource level permission) lets say s3:getobject then he will be allowed to do that action unless an explicit deny exist regardless of the default implicit deny on bucket policy .

so in case of iam role trust policy , lets say : role "A" trust user "B" in the same account if another user "C" in the same account had "sts:assumerole" permission in his identity based policy as a resource level permission then he should be able to assume the role even if user "c" is not in the trust policy which does not happen .

the current behavior is more like an explicit deny for any principal not specified in the trust policy .

it is not the default/documented behavior of the resource based policy which should be an implicit deny .

any thoughts ?

thanks

Tópicos
Segurança, identidade e conformidadeGestão e governançaAWS Well-Architected Framework
Tags
Segurança, identidade e conformidadeAWS Identity and Access ManagementConsole de gerenciamento da AWSSegurançaPolíticas do IAM
Idioma
English
profile picture
YasserAlhawary
feita há 2 anos727 visualizações
2 Respostas
1
Resposta aceita

The documentation has been update to account for this exception.

Role trust policies and KMS key policies are exceptions to this logic, because they must explicitly allow access for principals.

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-denyallow

profile pictureAWS
ESPECIALISTA
kentrad
respondido há 2 anos
  • YasserAlhawary
    há 2 anos

    Actually I read that before but didn't notice , Thanks Alot

1

A user or resource can only assume an identity given the user/resource has "sts:assumerole" permissions for Role A, and role A trusts the user or the entire account that includes users B and C. However, User C would not be able to assume role A unless trusted by Role A even with "sts:assumerole" as a result of least privilege. Principles are not allowed to assume a role unless they are explicitly allowed to in the role’s trust policy. This is because there is an implicit deny by default. An explicit deny would require a Deny statement which would override any allow. This is done to prevent user C from assuming a role with more permissions than they should be allowed.

Attaching the following documentation regarding role trust policies here. https://aws.amazon.com/blogs/security/how-to-use-trust-policies-with-iam-roles/

David_T
respondido há 2 anos

Você não está conectado. Fazer login para postar uma resposta.

Uma boa resposta responde claramente à pergunta, dá feedback construtivo e incentiva o crescimento profissional de quem perguntou.

Diretrizes para responder a perguntas

Conteúdo relevante