Is there a way to block role assumption attempt from outside the AWS organization using a SCP policy ?

0

I tried this one :

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyAssumption",
      "Effect": "Deny",
      "Action": "sts:AssumeRole",
      "Resource": "arn:aws:iam::2XXXXXXXX:role/Role"
    }
  ]
}

But i can still assume a role inside the Organization from outside.

2 Answers
1
Accepted Answer

This can not be done with a SCP. You have to allow this via the Trust Policy attached the role. Something like this:

{
  "Effect": "Deny",
  "Principal": { "AWS": "*" },
  "Action": "sts:AssumeRole", 
  "Condition": {
    "StringNotEquals": {
      "aws:PrincipalOrgId": "${aws:ResourceOrgId}"
    }, 
    "BoolIfExists": { 
       "aws:PrincipalIsAWSService": "false"
    }
  }
}

And use the same for all the roles as required.

SCP are used to restrict the access within the org only. after using above trust policy you can restrict that unintended person cannot modify the role trust policy using SCP.

answered a year ago
profile picture
EXPERT
reviewed a year ago
  • I'm confused - isn't role assumption an action? Why wouldn't this SCP prevent role assumption outside of the given org id?

    {
      "Effect": "Deny",
      "Action": "sts:AssumeRole", 
      "Resource": "*",
      "Condition": {
        "StringNotEquals": {
          "aws:PrincipalOrgId": "<ORG-ID-HERE>"
        }, 
        "BoolIfExists": { 
           "aws:PrincipalIsAWSService": "false"
        }
      }
    }
    
1

An SCP (Service Control Policy) can only control access to AWS services and actions, but it cannot control the ability to assume roles. Therefore, you cannot use an SCP to block role assumption attempts from outside the AWS organization.

However, you can use an IAM policy to restrict role assumption to a specific set of trusted entities, such as specific AWS accounts or specific IAM users/groups/roles. Here's an example IAM policy that allows role assumption only by specific AWS accounts:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::123456789012:root",
          "arn:aws:iam::234567890123:root"
        ]
      },
      "Action": "sts:AssumeRole",
      "Resource": "arn:aws:iam::ACCOUNT-ID-WITH-ROLE:role/ROLE-NAME"
    }
  ]
}

Replace ACCOUNT-ID-WITH-ROLE with the AWS account ID that contains the role that you want to restrict, and replace ROLE-NAME with the name of the role that you want to restrict. Also, replace the Principal element with the AWS accounts that are allowed to assume the role.

Note that this policy only restricts role assumption to specific AWS accounts, but it does not prevent someone with valid credentials in those AWS accounts from assuming the role from outside the AWS organization.

profile picture
Yasser
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions