For the most recent update on ongoing service disruptions affecting the AWS Middle East (UAE) Region (ME-CENTRAL-1), refer to the AWS Health Dashboard. For information on AWS Service migration, see How do I migrate my services to another region?
iam role trust policy behavior
Hi
aws docs mentioned that iam role trust policy should be treated as a resource based policy but in fact it doesn't .
regularly iam user could get a permission from his identity policy (resource level permission) lets say s3:getobject then he will be allowed to do that action unless an explicit deny exist regardless of the default implicit deny on bucket policy .
so in case of iam role trust policy , lets say : role "A" trust user "B" in the same account if another user "C" in the same account had "sts:assumerole" permission in his identity based policy as a resource level permission then he should be able to assume the role even if user "c" is not in the trust policy which does not happen .
the current behavior is more like an explicit deny for any principal not specified in the trust policy .
it is not the default/documented behavior of the resource based policy which should be an implicit deny .
any thoughts ?
thanks
- Tags
- AWS Identity and Access ManagementIAM PoliciesAWS Management ConsoleSecurity, Identity, & ComplianceSecurity
- Language
- English
- Newest
- Most votes
- Most comments
The documentation has been update to account for this exception.
Role trust policies and KMS key policies are exceptions to this logic, because they must explicitly allow access for principals.
Actually I read that before but didn't notice , Thanks Alot