Is it possible to create an AWS role (with "iam:CreateRole" permissions) to prevent it having privilege escalation, and only allow it to create new roles with a specific set of permissions e.g: "s3:GetObject"?
I am not sure if PermissionsBoundary is what I am after something like (in terraform):
statement {
sid = "AddRole"
effect = "Allow"
actions = ["iam:CreateRole", "s3:CreateBucket"]
resources = ["arn:aws:iam::${var.cluster.aws_account_id}:role/*"]
condition {
test = "StringEquals"
values = [aws_iam_policy.boundary_role_iam_policy.arn]
variable = "iam:PermissionsBoundary"
}
}
where boundary_role_iam_policy is a role with just allow "s3:GetObject"?
2
Answers
@Eidt
Sorry, I misunderstood your question – yes, your
permissions boundaryattached to the user should have the maximum access, that you want to grant to the users, and condition that you pasted in the question.Also, I will leave this piece because it is a way in which you can do the same.
It is possible to do it using SCP, and
Permissions boundary.SCPPermissions boundaryPermissions boundary(for everything beyond you)Permissions boundary PolicyYes, a permission boundary is exactly what you need.
Add the following as a permission boundary of the role: