skip to Main Content

Is it possible to allow a user to create policies that doesn’t contain any IAM Write actions, such as iam:CreatePolicy or iam:AttachPolicyRole?

The reason I’m asking is that the company I work at has a single person which can create policies & roles for security reasons. But this is quickly becoming a bottleneck, and we would like to transfer the responsibility of creating roles & policies to more people in a secure fashion. One way I can think is to limit the actions a policy can have, and the most sensitive actions are IAM actions, but I don’t know if this is possible.

2

Answers


  1. yes, you can create customer managed policies.by just a simply adding a permission in that policy.

    Login or Signup to reply.
  2. IAM has an important feature called permissions boundaries:

    A permissions boundary is an advanced feature for using a managed policy to set the maximum permissions that an identity-based policy can grant to an IAM entity. An entity’s permissions boundary allows it to perform only the actions that are allowed by both its identity-based policies and its permissions boundaries.

    A permissions boundary is designed to restrict permissions on IAM principals (IAM users and IAM roles). It enforces a centrally-managed boundary that can’t be exceeded, even if broader permissions are granted by some other policy attached to the IAM principal.

    Permissions boundaries can also be used to restrict what permissions that IAM principal can grant when creating new IAM principals.

    Here’s an example of an IAM statement that you could add to an IAM user’s policies that would allow that user to create new IAM users and roles but restrict the created roles and users to a specified permissions boundary:

    "Statement": [
      {
        "Sid": "AllowIAMCreate",
        "Effect": "Allow",
        "Action": [ "iam:CreateUser", "iam:CreateRole" ],
        "Resource": "*"
      },
      {
        "Sid": "DenyIAMCreateWithoutBoundary",
        "Effect": "Deny",
        "Action": [ "iam:CreateUser", "iam:CreateRole" ],
        "Resource": [
          "arn:aws:iam::1234567890:user/*",
          "arn:aws:iam::1234567890:role/*"
        ],
        "Condition": {
          "StringNotEquals": {
            "iam":PermissionsBoundary": "arn:aws:iam::1234567890:policy/DevBoundary"
          }
        }
      }
    ]
    

    Here’s a good introductory video: Prevent privilege escalation with AWS IAM permission boundaries

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search