We are trying to convince folks in our company to grant developers full privileges to all services in "dev" account (current policy does not allow developers to create anything in our AWS account, because "security").

Folks say we might grant you full privileges to certain services e.g. S3, but some services (specifically IAM) will be off limits. Argument is users would be able to grant themselves all kind of permissions if they have read/write access to IAM service in our account.

In following scenario:

• There are two S3 buckets (s1 and s2) in an AWS account.
• User thekashyap is granted full control over s1, but not s2 (se he can't see/read/write/access/manage s2 at all).
• User thekashyap is granted full control over IAM service.

Questions:

1. Can thekashyap grant himself access to s2 by doing something in IAM?
2. Can thekashyap create a new IAM user that has access to s2?
3. If answer to either 1 or 2 is yes, then is there a way to prevent it other than revoking all IAM privileges of thekashyap?

I've read:

• Limiting other AWS IAM roles from interacting with resources/privilege escalation
• How to avoid privilege escalation in AWS?

and a few more..

CodePudding user response：

1. Yes, the user can grant access to any and all S3 buckets.

2. Yes, the user can create new IAM Users that can access any and all buckets (and anything else in the AWS Account).

3. You could be very specific about which IAM access can be granted (eg can only put users in specific IAM Groups) but that would probably take away the reason why you wanted to have IAM access in the first place.

Either the account needs to be "anyone can do anything" (with the result that somebody else might modify/destroy the resources you created), or you need to give each developer their own AWS Account to treat as a 'sandbox' where nobody else can impact it.

An in-between option might be to allow users to deploy AWS CloudFormation stacks that can create infrastructure but (generally) does not allow existing infrastructure to be impacted.

CodePudding user response：

1. Yes
2. Yes
3. Yes, You can achieve it by Adding a Bucket Policy.

Open Bucket > Permissions > Bucket Policy

Then Add Policy Similar to below:

{
    "Version": "2012-10-17",
    "Statement": [{
        "Effect": "Deny",
        "Principal": {
            "AWS": "arn:aws:iam::ACCOUNT_ID:user/USERNAME"
        },
        "Action": "s3:*",
        "Resource": [
            "arn:aws:s3:::YOUR_BUCKET_NAME/*",
            "arn:aws:s3:::YOUR_BUCKET_NAME"
        ]

    }]
}

This Policy Denies Access to the bucket for the user, even if the user has Admin Permissions.