I have a role named ThisRole with following deny permissions:
{
"Sid": "DenyPolicies",
"Effect": "Deny",
"Action": [
"iam:AddUserToGroup",
"iam:AttachGroupPolicy",
"iam:AttachUserPolicy",
"iam:CreateGroup",
"iam:CreateLoginProfile",
"iam:CreateUser",
"iam:DeleteUser",
"iam:DeleteLoginProfile",
"iam:DeleteAccountPasswordPolicy",
"iam:DeleteGroup",
"iam:DeleteGroupPolicy",
"iam:DeleteOpenIDConnectProvider",
"iam:DeleteUserPolicy",
"iam:DeleteVirtualMFADevice",
"iam:DetachGroupPolicy",
"iam:DetachUserPolicy",
"iam:EnableMFADevice",
"iam:RemoveUserFromGroup",
"iam:UpdateGroup",
],
"Resource": "*"
}
And following allow permissions:
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
I do want ThisRole to create new roles, create new and update existing IAM policies. Which is why iam:CreateRole and the likes are not denied. But this leaves the back door open for this role to:
NewRole).NewRole all the permissions itself is denied upon.NewRole (role chaining).ThisRole.What is the best way to allow ThisRole to create new roles/policies, modify existing roles/policies or assume another role but only within the limits of what it itself is allowed to do?
Your best option is to use Permissions Boundary.
In this way you will allow them to create roles but they will be forced to use the permissions boundary you define, restricting them on what they can do.
Two links below will explain you more: