amazon-web-servicesamazon-iam

How can an IAM role be restricted to gain higher permission than it itself is allowed, through role chaining?


I have a role named ThisRole with following deny permissions:

        {
            "Sid": "DenyPolicies",
            "Effect": "Deny",
            "Action": [
                "iam:AddUserToGroup",
                "iam:AttachGroupPolicy",
                "iam:AttachUserPolicy",
                "iam:CreateGroup",
                "iam:CreateLoginProfile",
                "iam:CreateUser",
                "iam:DeleteUser",
                "iam:DeleteLoginProfile",
                "iam:DeleteAccountPasswordPolicy",
                "iam:DeleteGroup",
                "iam:DeleteGroupPolicy",
                "iam:DeleteOpenIDConnectProvider",
                "iam:DeleteUserPolicy",
                "iam:DeleteVirtualMFADevice",
                "iam:DetachGroupPolicy",
                "iam:DetachUserPolicy",
                "iam:EnableMFADevice",
                "iam:RemoveUserFromGroup",
                "iam:UpdateGroup",
            ],
            "Resource": "*"
        }

And following allow permissions:

    "Statement": [
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*"
        }
    ]

I do want ThisRole to create new roles, create new and update existing IAM policies. Which is why iam:CreateRole and the likes are not denied. But this leaves the back door open for this role to:

  1. Create a new role (lets say NewRole).
  2. Allow this NewRole all the permissions itself is denied upon.
  3. Assume this NewRole (role chaining).
  4. Execute permissions that are otherwise denied for ThisRole.

What is the best way to allow ThisRole to create new roles/policies, modify existing roles/policies or assume another role but only within the limits of what it itself is allowed to do?


Solution

  • Your best option is to use Permissions Boundary.

    In this way you will allow them to create roles but they will be forced to use the permissions boundary you define, restricting them on what they can do.

    Two links below will explain you more: