By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Is there any way to block roles outside the AWS organization from assuming roles inside the org using a service control policy (SCP)?

0

The goal is to implement a control similar to an allowlist where only allowed external accounts can assume roles inside the org.

Here’s what I’ve tried:

  • tried restricting the sts:assumerole action in an SCP, but this only works for roles inside the org. From my understanding, since the assumerole is started in the external account, the restriction doesn’t work
  • I also looked into restricting the iam:UpdateAssumerolePolicy action in an SCP to see if a restriction for the action can be implemented where users can only specify certain AWS principals in a trust policy, but there is no condition like this for this action

Is using an SCP the right way to do this? Can this be done with an SCP?

I understand IAM access analyzer can be used to alert on when external roles assume roles inside the organization, but that’s more of a reactive control, and we would like to implement a more proactive control where we specify exactly what external accounts are able to assume roles inside the org.

Topics
Security, Identity, & ComplianceManagement & Governance
Tags
Security, Identity, & ComplianceAWS Identity and Access ManagementService Control Policy
Language
English
Mark
asked a year ago1098 views
2 Answers
4

Try using a Role Trust policy (basically a resource based policy) as below:

{ "Effect": "Deny", "Principal": { "AWS": "*" }, "Action": "sts:AssumeRole", "Condition": { "StringNotEquals": { "aws:PrincipalOrgId": "${aws:ResourceOrgId}" }, "BoolIfExists": { "aws:PrincipalIsAWSService": "false" } } }

And use the same for all the roles as required.

profile pictureAWS
Sandip Samanta
answered a year ago
1

This can not be done with a SCP. You have to allow this via the Trust Policy attached the role. Something like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "123456789012"
            },
            "Action": "sts:AssumeRole",
            "Condition": {"StringEquals": {"sts:ExternalId": "12345"}}
        }
    ]
}

This example also uses the ExternalId.

profile pictureAWS
EXPERT
kentrad
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content