Home > database >  Restricting role escalation in AWS iam permissions
Restricting role escalation in AWS iam permissions

Time:08-17

Is it possible to create an AWS role (with "iam:CreateRole" permissions) to prevent it having privilege escalation, and only allow it to create new roles with a specific set of permissions e.g: "s3:GetObject"?

I am not sure if PermissionsBoundary is what I am after something like (in terraform):

  statement {
    sid       = "AddRole"
    effect    = "Allow"
    actions   = ["iam:CreateRole", "s3:CreateBucket"]
    resources = ["arn:aws:iam::${var.cluster.aws_account_id}:role/*"]
    condition {
      test     = "StringEquals"
      values   = [aws_iam_policy.boundary_role_iam_policy.arn]
      variable = "iam:PermissionsBoundary"
    }
  }

where boundary_role_iam_policy is a role with just allow "s3:GetObject"?

CodePudding user response:

Tbh, it's a really complicated case, you should perfectly understand IAM to do it correctly. I would recommend you to pass AWS Certified Security - Specialty before doing such things in the production environment.

It is possible to do it using SCP, and Permissions boundary, but in the other way, then you want to do it.

  • SCP

    • should prevent access to create roles without attached Permissions boundary
    • preventing the ability to read/edit/detach Permissions boundary (for everything beyond you)
  • Permissions boundary Policy

    • rest denis
      • for example, deny access to 'admin-stuff' s3 bucket. In this way roles with attached Permissions boundary wouldn't be able to access this bucket even if their policies allow that.

CodePudding user response:

Yes, a permission boundary is exactly what you need.

Add the following as a permission boundary of the role:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "iam:CreateUser"
            ],
            "Resource": "*"
        }
    ]
}
  • Related