Home > Mobile >  AWS permission boundary won't apply to the secound user
AWS permission boundary won't apply to the secound user

Time:01-29

I tried to implement the AWS Permission Boundary to user1 who has full permission on IAM actions. Then user1 created a another user (user2). The user2 is apple to do any actions without any restriction. As I understood, the user2 should not have more permission than user1. Anyone had same issue? anyone got any sample Permission Boundary policy?

CodePudding user response:

Had a kind of same issue with AWS Permission Boundary and issue was with the the policy didn't deny some permission. Eg: DeleteUserPermissionsBoundary, DeleteRolePermissionsBoundary

You can find the full video explanation here: https://youtu.be/ExjW3HCFG1U?t=3402

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "IAMAccess",
        "Effect": "Allow",
        "Action": "iam:*",
        "Resource": "*"
    },
    {
        "Sid": "DenyCreatingUserWithoutPermisionBoundary",
        "Effect": "Deny",
        "Action": [
            "iam:CreateUser",
            "iam:CreateRole"
        ],
        "Resource": [
            "arn:aws:iam::YOUR_ACCOUNT_ID:user/*",
            "arn:aws:iam::YOUR_ACCOUNT_ID:role/*"
        ],
        "Condition": {
            "StringNotEquals": {
                "iam:PermissionsBoundary": "arn:aws:iam::YOUR_ACCOUNT_ID:policy/permission-boundary"
            }
        }
    },
    {
        "Sid": "DenyDeletingPolicy",
        "Effect": "Deny",
        "Action": [
            "iam:DeletePolicy",
            "iam:DeletePolicyVersion",
            "iam:CreatePolicyVersion",
            "iam:SetDefaultPolicyVersion"
        ],
        "Resource": [
            "arn:aws:iam::YOUR_ACCOUNT_ID:policy/permission-boundary"
        ]
    },
    {
        "Sid": "DenyDeletingPermBoundaryFromAnyUserOrRole",
        "Effect": "Deny",
        "Action": [
            "iam:DeleteUserPermissionsBoundary",
            "iam:DeleteRolePermissionsBoundary"
        ],
        "Resource": [
            "arn:aws:iam::YOUR_ACCOUNT_ID:user/*",
            "arn:aws:iam::YOUR_ACCOUNT_ID:role/*"
        ],
        "Condition": {
            "StringEquals": {
                "iam:PermissionsBoundary": "arn:aws:iam::YOUR_ACCOUNT_ID:policy/permission-boundary"
            }
        }
    },
    {
        "Sid": "DenyUpdatingPermissionBoundary",
        "Effect": "Deny",
        "Action": [
            "iam:PutUserPermissionsBoundary",
            "iam:PutRolePermissionsBoundary"
        ],
        "Resource": [
            "arn:aws:iam::YOUR_ACCOUNT_ID:user/*",
            "arn:aws:iam::YOUR_ACCOUNT_ID:role/*"
        ],
        "Condition": {
            "StringNotEquals": {
                "iam:PermissionsBoundary": "arn:aws:iam::YOUR_ACCOUNT_ID:policy/permission-boundary"
            }
        }
    }       
]

}

Page link:https//www.codepudding.com/Mobile/686526.html

Prev:WildCard in NotResource
Next:How can i download a local copy of an S3 snapshot of an AWS Postgres DB?
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding