0

I have this managed policy for AWS Developer Power User, which gives the user access to all AWS resources and actions except IAM and Organization (Just one level below Admin role).

AssumeRolePolicyDocument:
    Version: 2012-10-17
    Statement:
      - Effect: Allow
        Principal:
          Federated:
            - !Sub "arn:aws:iam::${AWS::AccountId}:saml-provider/ABC"
        Action: 'sts:AssumeRoleWithSAML'
        Condition:
          StringEquals:
            SAML:aud: "https://signin.aws.amazon.com/saml"
  Path: /
  Policies:
    - PolicyName: ABC
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            NotAction:
              - iam:*
              - organizations:*
              - account:*
            Resource: '*'  
          - Effect: Allow
            Action:
              - iam:CreateServiceLinkedRole
              - iam:DeleteServiceLinkedRole
              - iam:ListRoles
              - organizations:DescribeOrganization  
              - account:ListRegions
            Resource: '*'

I want to restrict the access to the user between particular dates (For ex during deployment schedule) and added below code for Date operator.

Condition:
DateGreaterThan:
  aws:CurrentTime: '2020-04-01T00:00:00Z'
DateLessThan:
  aws:CurrentTime: '2020-06-30T23:59:59Z'

However adding the above condition clause to the PowerUserManaged policy throws error 400 Malformed during deployment of the policy in AWS Console.

Is it possible to add the date condition clause to PowerUserAccess managed policy ? https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_developer-power-user

DM_Darko
  • 1
  • 2

1 Answers1

0

If you want to use the IAM managed policy you can just add another policy to the user to deny to the user if they're outside the date range.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": "*",
            "Resource": "*",
            "Condition": {
                "DateGreaterThan": {"aws:CurrentTime": "2020-04-01T00:00:00Z"},
                "DateLessThan": {"aws:CurrentTime": "2020-04-01T00:00:00Z"}
            }
        }
    ]
}

An explicit deny will always override any allow statement, for more information over policy evaluation check out the Policy Evaluation page on AWS.

Chris Williams
  • 32,215
  • 4
  • 30
  • 68
  • But adding inline policy to users is not best practice specially if users keep changing. Can this policy be applied to the managed policy ? – DM_Darko Jul 21 '20 at 04:01
  • You cannot add to the managed policy, this is an AWS managed policy that they maintain. It does not need to be inline. If a user has Power-User access they should not have the ability to modify their own IAM permissions. – Chris Williams Jul 21 '20 at 05:29