When responsibility for fine-grained Policy creation is delegated to an Identity such as a Developer, the Identity often expects to utilize iam:createRole to configure permissions for cloud resources.
Developer Needs Link to heading
Developers frequently need to create Identities like IAM Roles during deployment to oversee permissions for various software resources. Nevertheless, the Operations admin might feel uneasy granting AdministratorAccess. Even when avoiding Admin grants, the needed Action iam:create[Role/User] would enable the developer to create an Identity that grants a seperate Policy, thereby bypassing the developer’s Identity Policy document.
Operations Needs Link to heading
As an Operations administrator configuring a wide policy for a delegated permissions management Identity, we need to establish an outer boundary of permissible grants. New Identities (IAM Roles, IAM Users) created by the delegated Identity must not surpass the Permission Boundary defined for the delegated Identity. Identities must not be able to alter their boundary Policy.
Alternatives to the correct solution for solving these limitations often necessitates close collaboration between the Operations admin and the Developer to continually refine the specific roles being deployed. It is a challenging issue, particularly when granting iam:create[Role/User] to the deployer Identity might cleverly circumvent any permissions.
Finding a middle-ground Link to heading
Each IAM User and Role not only accommodates an Identity Policy Document attachment, but also allows for the attachment of a typical IAM Policy known as a “Permission Boundary Policy.”
When a Role or User possesses a Permission Boundary Policy, access attempts must be authorized by both the defined Identity Policy Document and the Permission Boundary Policy Document. This empowers the AWS Operations admin to grant iam:create[Role/User] solely when the Permission Boundary slot has been filled (“propagated”) on the new Identity with the Boundary Policy ARN.
Identifying the Solution: the Permission Boundary Policy slot Link to heading
The ability to apply Policy documents to two seperate slots on Identities is pivotal for addressing this challenge of granting an Identity access to the createRole Action. The permissions granted to the new Identity must intersect with the named Boundary Policy on the delegated Identity during access. The conditional grant of createRole necessitates the deployer to apply the same named Boundary Policy onto the new Identity. There is no need for AWS to parse the Identity Policy Document to ascertain its adherence to a specific boundary; instead, the intersection of permissions is checked between the two documents at the time of the access request.
Permission calculation during access
References Link to heading
Sample Permission Boundary Policy stack Link to heading
{
"Resources": {
"SampleBoundaryPolicy": {
"Type": "AWS::IAM::ManagedPolicy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Sid": "CloudWatchLogsFullAccess",
"Effect": "Allow",
"Action": ["cloudwatch:*", "logs:*"],
"Resource": "*"
},
{
"Sid": "LambdaFullAccess",
"Effect": "Allow",
"Action": ["lambda:*"],
"Resource": ["*", "arn:aws:lambda:*:*:function:*"]
},
{
"Sid": "IAMLimitedAccess",
"Effect": "Allow",
"Action": [
"iam:*Policy*",
"iam:*List*",
"iam:*Get*",
"iam:CreateRole",
"iam:PutRolePermissionsBoundary",
"iam:CreateServiceLinkedRole",
"iam:DeleteRole",
"iam:*RolePolicy*"
],
"Resource": ["*", "arn:aws:iam::*:role/*"]
},
{
"Sid": "IamDenyPassRoleExceptAwsServices",
"Effect": "Deny",
"Action": "iam:PassRole",
"Resource": "*",
"Condition": {
"StringNotLike": {
"iam:PassedToService": "*.amazonaws.com"
}
}
},
{
"Sid": "DenyAccessIfRequiredPermBoundaryIsNotBeingApplied",
"Action": [
"iam:CreateUser",
"iam:CreateRole",
"iam:PutRolePermissionsBoundary",
"iam:PutUserPermissionsBoundary"
],
"Condition": {
"StringNotEquals": {
"iam:PermissionsBoundary": {
"Fn::Sub": "arn:${AWS::Partition}:iam::${AWS::AccountId}:policy/SampleBoundaryPolicy"
}
}
},
"Effect": "Deny",
"Resource": "*"
},
{
"Sid": "DenyPermBoundaryIAMPolicyAlteration",
"Action": [
"iam:CreatePolicyVersion",
"iam:DeletePolicy",
"iam:DeletePolicyVersion",
"iam:SetDefaultPolicyVersion"
],
"Effect": "Deny",
"Resource": {
"Fn::Sub": "arn:${AWS::Partition}:iam::${AWS::AccountId}:policy/SampleBoundaryPolicy"
}
},
{
"Sid": "DenyRemovalOfPermBoundaryFromAnyUserOrRole",
"Action": [
"iam:DeleteUserPermissionsBoundary",
"iam:DeleteRolePermissionsBoundary"
],
"Effect": "Deny",
"Resource": "*"
},
{
"Sid": "DenyAllConfig",
"Effect": "Deny",
"Action": "config:*",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"Description": "Denies IAM Role or User creation unless this Boundary Policy is propagated forward onto the new Identity",
"Path": "/",
"ManagedPolicyName": "SampleBoundaryPolicy"
}
}
}
}