Is it possible to create an AWS role (with "iam:CreateRole" permissions) to prevent it having privilege escalation, and only allow it to create new roles with a specific set of permissions e.g: "s3:GetObject"?
I am not sure if PermissionsBoundary is what I am after something like (in terraform):
statement {
sid = "AddRole"
effect = "Allow"
actions = ["iam:CreateRole", "s3:CreateBucket"]
resources = ["arn:aws:iam::${var.cluster.aws_account_id}:role/*"]
condition {
test = "StringEquals"
values = [aws_iam_policy.boundary_role_iam_policy.arn]
variable = "iam:PermissionsBoundary"
}
}
where boundary_role_iam_policy is a role with just allow "s3:GetObject"?
CodePudding user response:
Tbh, it's a really complicated case, you should perfectly understand IAM to do it correctly. I would recommend you to pass AWS Certified Security - Specialty before doing such things in the production environment.
It is possible to do it using SCP, and Permissions boundary, but in the other way, then you want to do it.
SCP- should prevent access to create roles without attached
Permissions boundary - preventing the ability to read/edit/detach
Permissions boundary(for everything beyond you)
- should prevent access to create roles without attached
Permissions boundary Policy- rest denis
- for example, deny access to 'admin-stuff' s3 bucket. In this way roles with attached
Permissions boundarywouldn't be able to access this bucket even if their policies allow that.
- for example, deny access to 'admin-stuff' s3 bucket. In this way roles with attached
- rest denis
CodePudding user response:
Yes, a permission boundary is exactly what you need.
Add the following as a permission boundary of the role:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"iam:CreateUser"
],
"Resource": "*"
}
]
}