iam role trust policy behavior
Hi
aws docs mentioned that iam role trust policy should be treated as a resource based policy but in fact it doesn't .
regularly iam user could get a permission from his identity policy (resource level permission) lets say s3:getobject then he will be allowed to do that action unless an explicit deny exist regardless of the default implicit deny on bucket policy .
so in case of iam role trust policy , lets say : role "A" trust user "B" in the same account if another user "C" in the same account had "sts:assumerole" permission in his identity based policy as a resource level permission then he should be able to assume the role even if user "c" is not in the trust policy which does not happen .
the current behavior is more like an explicit deny for any principal not specified in the trust policy .
it is not the default/documented behavior of the resource based policy which should be an implicit deny .
any thoughts ?
thanks
- Newest
- Most votes
- Most comments
The documentation has been update to account for this exception.
Role trust policies and KMS key policies are exceptions to this logic, because they must explicitly allow access for principals.
Relevant content
- asked 3 years ago
- asked 5 months ago
- asked 5 months ago
AWS OFFICIALUpdated 6 months ago- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated 6 months ago
Actually I read that before but didn't notice , Thanks Alot