Is it possible to create an AWS role (with "iam:CreateRole"
permissions) to prevent it having privilege escalation, and only allow it to create new roles with a specific set of permissions e.g: "s3:GetObject"
?
I am not sure if PermissionsBoundary
is what I am after something like (in terraform):
statement {
sid = "AddRole"
effect = "Allow"
actions = ["iam:CreateRole", "s3:CreateBucket"]
resources = ["arn:aws:iam::${var.cluster.aws_account_id}:role/*"]
condition {
test = "StringEquals"
values = [aws_iam_policy.boundary_role_iam_policy.arn]
variable = "iam:PermissionsBoundary"
}
}
where boundary_role_iam_policy
is a role with just allow "s3:GetObject"
?
CodePudding user response:
Tbh, it's a really complicated case, you should perfectly understand IAM to do it correctly. I would recommend you to pass AWS Certified Security - Specialty before doing such things in the production environment.
It is possible to do it using SCP, and Permissions boundary
, but in the other way, then you want to do it.
SCP
- should prevent access to create roles without attached
Permissions boundary
- preventing the ability to read/edit/detach
Permissions boundary
(for everything beyond you)
- should prevent access to create roles without attached
Permissions boundary Policy
- rest denis
- for example, deny access to 'admin-stuff' s3 bucket. In this way roles with attached
Permissions boundary
wouldn't be able to access this bucket even if their policies allow that.
- for example, deny access to 'admin-stuff' s3 bucket. In this way roles with attached
- rest denis
CodePudding user response:
Yes, a permission boundary is exactly what you need.
Add the following as a permission boundary of the role:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"iam:CreateUser"
],
"Resource": "*"
}
]
}