I have a role named ThisRole
with following deny
permissions:
{
"Sid": "DenyPolicies",
"Effect": "Deny",
"Action": [
"iam:AddUserToGroup",
"iam:AttachGroupPolicy",
"iam:AttachUserPolicy",
"iam:CreateGroup",
"iam:CreateLoginProfile",
"iam:CreateUser",
"iam:DeleteUser",
"iam:DeleteLoginProfile",
"iam:DeleteAccountPasswordPolicy",
"iam:DeleteGroup",
"iam:DeleteGroupPolicy",
"iam:DeleteOpenIDConnectProvider",
"iam:DeleteUserPolicy",
"iam:DeleteVirtualMFADevice",
"iam:DetachGroupPolicy",
"iam:DetachUserPolicy",
"iam:EnableMFADevice",
"iam:RemoveUserFromGroup",
"iam:UpdateGroup",
],
"Resource": "*"
}
And following allow
permissions:
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
I do want ThisRole
to create new roles, create new and update existing IAM policies. Which is why iam:CreateRole
and the likes are not denied. But this leaves the back door open for this role to:
NewRole
).NewRole
all the permissions itself is denied upon.NewRole
(role chaining).ThisRole
.What is the best way to allow ThisRole
to create new roles/policies, modify existing roles/policies or assume another role but only within the limits of what it itself is allowed to do?
Your best option is to use Permissions Boundary.
In this way you will allow them to create roles but they will be forced to use the permissions boundary you define, restricting them on what they can do.
Two links below will explain you more: