0

I need to make an administrator role where only access to a few resources is blocked. This seems straightforward. I can create a role with 2 policies, one AWS managed AdministratorAccess and a deny policy for the relevant resources.

ManagedPolicyArns:
  - arn:aws:iam::aws:policy/AdministratorAccess
Policies:
  - PolicyName: DenyAccess
    PolicyDocument:
      Version: '2012-10-17'
      Statement:
        - Effect: Deny
          Action:
            - '*'
          Resource:
            - arn:aws:s3:::example-bucket
            - ...

However, because the role now has full IAM access, it seems it can easily by-pass the deny policy. To do this it can create a new policy with full access and assign this policy to a lambda. This lambda then has full access to the resources which are denied to the original role.

Is there a way to control which resources/actions a role can define in a new policy?

I have tried using permission boundaries, as suggested in this so question, but it didn't work.

- PolicyName: BoundaryPolicy
  PolicyDocument:
    Version: '2012-10-17'
    Statement:
      - Effect: Allow
        Action: 'iam:*'
        Resource: !Sub arn:aws:iam::${AWS::AcountId}:role/*
        Condition:
          StringEquals:
            iam:PermissionsBoundary: !Sub arn:aws:iam::${AWS::AcountId}:policy/DenyPolicy
JanJetze
  • 13
  • 2
  • 5
  • Why not deny iam actions as well? – Marcin Jan 16 '23 at 09:13
  • The role needs to have access to IAM actions. It needs to be able, for example, to create a lambda that has permissions to S3 buckets. That is, S3 buckets the role itself also has access to. – JanJetze Jan 16 '23 at 09:24
  • 1
    you can either use organizations and apply an SCP to deny or use Permission boundaries so that the user can't escalate their access more than what has been provided. – Sri Jan 16 '23 at 09:38
  • So I tried with the permission boundary as described at the end of the question. However, I was still able to assume te new management role and create a policy with a statement that was denied on the role itself. What did I do wrong in the boundary? – JanJetze Jan 16 '23 at 10:10

0 Answers0