By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

iam role trust policy behavior

0

Hi

aws docs mentioned that iam role trust policy should be treated as a resource based policy but in fact it doesn't .

regularly iam user could get a permission from his identity policy (resource level permission) lets say s3:getobject then he will be allowed to do that action unless an explicit deny exist regardless of the default implicit deny on bucket policy .

so in case of iam role trust policy , lets say : role "A" trust user "B" in the same account if another user "C" in the same account had "sts:assumerole" permission in his identity based policy as a resource level permission then he should be able to assume the role even if user "c" is not in the trust policy which does not happen .

the current behavior is more like an explicit deny for any principal not specified in the trust policy .

it is not the default/documented behavior of the resource based policy which should be an implicit deny .

any thoughts ?

thanks

Topics
Security, Identity, & ComplianceManagement & GovernanceAWS Well-Architected Framework
Tags
Security, Identity, & ComplianceAWS Identity and Access ManagementAWS Management ConsoleSecurityIAM Policies
Language
English
profile picture
YasserAlhawary
asked 2 years ago714 views
2 Answers
1
Accepted Answer

The documentation has been update to account for this exception.

Role trust policies and KMS key policies are exceptions to this logic, because they must explicitly allow access for principals.

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-denyallow

profile pictureAWS
EXPERT
kentrad
answered 2 years ago
  • YasserAlhawary
    2 years ago

    Actually I read that before but didn't notice , Thanks Alot

1

A user or resource can only assume an identity given the user/resource has "sts:assumerole" permissions for Role A, and role A trusts the user or the entire account that includes users B and C. However, User C would not be able to assume role A unless trusted by Role A even with "sts:assumerole" as a result of least privilege. Principles are not allowed to assume a role unless they are explicitly allowed to in the role’s trust policy. This is because there is an implicit deny by default. An explicit deny would require a Deny statement which would override any allow. This is done to prevent user C from assuming a role with more permissions than they should be allowed.

Attaching the following documentation regarding role trust policies here. https://aws.amazon.com/blogs/security/how-to-use-trust-policies-with-iam-roles/

David_T
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content