I'm planning to develop a multi tenant platform based on the AWS stack. For each customer, let's call them customerA and customerB I want to create individual resources and restrict them that customerA can't see all stuff from customerB.
The first step to set up for the customer is to set up an IAM user with rights to manage all rights for the user. So I want to give the IAM user the rights to create IAM roles and policies and assign them to users but only for the ARN with the resource name customerA__* as prefix. This way it's possible to give the user the rights to create for example roles giving dynamoDB create table rights with a role name of customerA__rolename as planned but I want to further limit it that all roles also need to be bound to this scope, otherwise customerA__deleteTable could also be used to delete customerBs tables.
So in short: Is it possible to create an IAM role that limits all rights to have the name customerA__xyz and also to limit it's scope for each created role to resources with the name customerA__*
If it's not possible any other suggestions how to set up multi tenant rights for AWS? I don't want to create a separate AWS account for each customer for separation and I doubt this can be automated in a legal way.
Thanks in advance :)
There is indeed functionality for this by writing a permission boundary that prevents an IAM user from actually granting more permissions than they already have (which would allow them to bypass this).
A permissions boundary will be evaluated before the permissions so it will take a higher precedence than any permissions a user can set.
AWS have actually created a thorough policy you can use for this use case on their How can I use permissions boundaries to limit the scope of IAM users and roles and prevent privilege escalation? documentation page.
If you add this within your account you should be able to validate that it provides the functionality that you're expecting.