How to manage permissions sets effectively on AWS SSO

Question

I'm currently working on a AWS SSO project.

Important note: Currently AWS SSO do not support Custom Managed Policy.

So basically I need a PowerUser profile but with some minor adjustments (such as removing some actions on Guardduty for example)

Will this work?

Type: AWS::SSO::PermissionSet
Properties: 
  InlinePolicy: '
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "NotAction": [
                "guardduty:Get*",
                "guardduty:List*"
            ],
            "Resource": "*"
        }
    ]
}
'
  InstanceArn: arn:...:sso....
  ManagedPolicies: 
    - arn:....:PowerUserAccess
  Name: MyPermSet

Will the deny in the inline policy override every actions?

Do i need to add target resources:

"Resource": "guardduty:*"

How does AWS interpret policies? Managed first then Inline can override them? The other way around?

I'm a bit lost.

score 1 · Answer 1 · answered Dec 20 '20 at 16:05

You can look at the evaluation logic in order to establish whether or not your Deny would work:

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html

Judging by the flow in the link above, a Deny in a custom policy should override an Allow in a managed policy (as Denys are assessed first), so if you apply both - the explicit Deny should win. You can also find a nice example of something describing a similar situation here:

http://raaviblog.com/use-aws-sso-to-deny-permissions-for-iam-and-sso-itself/

Either way - make sure to test that the policy works and that it properly blocks unneeded access.

How to manage permissions sets effectively on AWS SSO

1 Answers1