By using AWS re:Post, you agree to the Terms of Use

How to create parent policy that limits permissions of child policies it creates

0
  • The context: I am Account A. In my master/parent policy that I am given, I will be able to create, update, and delete policies/roles AND other infrastructure resources in Account B.
  • The goal: I want to craft this master policy to be able to manage ONLY the resources I have created.
  • NOT the problem: trust relationships, external ids, confused deputy, getting access to Account B etc
  • IS the problem: I don't know of a way to enforce that all child policies that I create must also have all of the conditions that the parent policy has. Therefore, a child policy could be created which much greater permissions than the parent policy, defeating the purpose of limiting access to only the resources I have created.
  • CLARIFYING SCENARIO: I could, in the master/parent policy giving access to Account A, provide the condition that all resources, child policies, child roles, etc in Account B MUST be created with tags and MUST have the tags to be updated or deleted. HOWEVER, while I can create policies that say, have that tag, I do not know of any way to enforce that THOSE child policies must ALSO include the EXACT SAME condition that they too can ONLY create/update/delete tagged resources.

How might parent policy conditions be enforced in all child policies such that nothing created could have greater permissions than the creator? If this doesn't exist, it seems like a massive oversight in permissions management in AWS.

  • You can may be attach an SCP at the org level that explicitly prohibits actions that you don't want users and roles in certain accounts to perform.

2 Answers
0
Accepted Answer

I would recommend using IAM Permissions boundaries. They are an extra set of permissions that can be applied that can set max permissions for an IAM entity.

See https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html

answered 16 days ago
0

You can may be attach an SCP at the org level that explicitly prohibits actions that you don't want users and roles in certain accounts to perform.

answered 16 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions