使用AWS re:Post即您表示您同意 AWS re:Post 使用条款
AWS re:Postre:Post

iam role trust policy behavior

0

Hi

aws docs mentioned that iam role trust policy should be treated as a resource based policy but in fact it doesn't .

regularly iam user could get a permission from his identity policy (resource level permission) lets say s3:getobject then he will be allowed to do that action unless an explicit deny exist regardless of the default implicit deny on bucket policy .

so in case of iam role trust policy , lets say : role "A" trust user "B" in the same account if another user "C" in the same account had "sts:assumerole" permission in his identity based policy as a resource level permission then he should be able to assume the role even if user "c" is not in the trust policy which does not happen .

the current behavior is more like an explicit deny for any principal not specified in the trust policy .

it is not the default/documented behavior of the resource based policy which should be an implicit deny .

any thoughts ?

thanks

主题
安全、身份和合规性管理与治理AWS 架构完善的框架
标签
安全、身份和合规性AWS 身份和访问权限管理AWS 管理控制台安全IAM 策略
语言
English
profile picture
YasserAlhawary
已提问 2 年前705 查看次数
2 回答
1
已接受的回答

The documentation has been update to account for this exception.

Role trust policies and KMS key policies are exceptions to this logic, because they must explicitly allow access for principals.

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-denyallow

profile pictureAWS
专家
kentrad
已回答 2 年前
  • YasserAlhawary
    2 年前

    Actually I read that before but didn't notice , Thanks Alot

1

A user or resource can only assume an identity given the user/resource has "sts:assumerole" permissions for Role A, and role A trusts the user or the entire account that includes users B and C. However, User C would not be able to assume role A unless trusted by Role A even with "sts:assumerole" as a result of least privilege. Principles are not allowed to assume a role unless they are explicitly allowed to in the role’s trust policy. This is because there is an implicit deny by default. An explicit deny would require a Deny statement which would override any allow. This is done to prevent user C from assuming a role with more permissions than they should be allowed.

Attaching the following documentation regarding role trust policies here. https://aws.amazon.com/blogs/security/how-to-use-trust-policies-with-iam-roles/

David_T
已回答 2 年前

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则

相关内容