I am using a Service Control Policy - two actually. One which is on the root of my OU, which is the standard FullAWSAccess one. The other is a new one which I wrote:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowSTS",
"Effect": "Deny",
"NotAction": [
"sts:*",
"s3:*",
"iam:*"
],
"Resource": "*"
}
]
}
To me, the policy looks good - I want to only be able to use STS (assumeRole), and I have an S3 + IAM allow in there just for testing purposes.
However, when I apply this policy to the organizational unit which contains my SafeManagement account (from which I want to use a IAM user to assumerole into other organizations accounts...) it just straight up denies everything!
I have the IAM permissions in there as already stated for debugging purposes - I still get this error when trying to view my buckets or create one:
The reason I know that it's SCP causing this issue is because - when I change the SCP quickly to Effect: Allow and NotAction to Action, it works perfectly and I can view my buckets and iam roles and stuff!
My question is - why is it denying everything instead of letting me do what I am clearly asking it to do - allow sts, s3 and iam actions inside of this organizational unit?
So this is one of those situations where I sit on a problem for an hour and then finally give up and ask on Stack Overflow; then I get a random brainwave and solve it...
This policy works for me:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowSTS",
"Effect": "Deny",
"NotAction": [
"sts:*",
"s3:*",
"iam:*"
],
"Resource": "*"
},
{
"Sid": "MaybeThisFixesIt",
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
Related
In the CI/CD section of the AWS SAM tutorial workshop, when I ran
sam pipeline init --bootstrap and went through the configurations, a role was created with this policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "*",
"Resource": "*",
"Effect": "Allow"
}
]
}
Doesn't this grant the role complete permission over my AWS account which is a big no no? Or is it fine because the permission is granted to an AWS service, and not a user?
This is the trust relationship:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "cloudformation.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Having a role that exists with those permissionsis fine.
When you create a vanilla AWS Account (in other words I am not including those created by enterprise landing zones like Control Tower) it comes with a policy called AdministratorAccess and a role called Administrator.
The best practice is in who or what you allow to use that policy and when.
Roles are preferred over users, since roles provide security credentials. With a user you have durable credentials you need to secure.
In this case you are allowing CloudFormation to assume this role. This makes sense since CloudFormation often needs to be able to create and modify any resources including IAM roles. If you know you will not be creating or modifying IAM resources you can user a more restrictive role (least privilege), for example using the PowerUserAccess policy which looks like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"NotAction": [
"iam:*",
"organizations:*",
"account:*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole",
"iam:DeleteServiceLinkedRole",
"iam:ListRoles",
"organizations:DescribeOrganization",
"account:ListRegions"
],
"Resource": "*"
}
]
}
I am trying to simulate an IAM policy I want to attach to a user so I can restrict their access to two buckets, one for file upload and one for file download.
The policy simulator tells me that the following policy does not work and I cannot figure out why, but it seems to be to do with the wildcards.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "GetObject",
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::mybucket-*-report-output/*.csv"
]
},
{
"Sid": "PutObjects",
"Effect": "Allow",
"Action": "s3:PutObject",
"Resource": [
"arn:aws:s3:::mybucket-*-report-input/*.csv"
]
}
]
}
The policy simulator says the following policy does work however:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "GetObject",
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::mybucket-*-report-output"
]
},
{
"Sid": "PutObjects",
"Effect": "Allow",
"Action": "s3:PutObject",
"Resource": [
"arn:aws:s3:::mybucket-*-report-input"
]
}
]
}
There must be something I am missing about how to structure the policy, but I want to restrict access to the buckets in the policy, for the operations mentioned, but I also want to ensure that the user can only add and retrieve files with .csv extension.
Below is a screenshot of the simulator:
Your policy is 100% correct - the IAM Policy Simulator is showing wrong results for some absurd reason.
I also can reproduce your problem using the above policy, and the results are all over the place - sometimes both allowed, both denied, only one allowed etc.
It seems to be having an issue with the double wildcard, and sometimes it is coming back with the wrong resource ARN being evaluated in the HTTP response being returned (I'm sometimes seeing both ARNs set to output instead of only 1 set to output in the network tab for the HTTP response - caching?).
It's not limited to PutObject either only and it's giving me loads of conflicting results with the double wildcard, even for other actions like s3:RestoreObject.
Regardless, I'm not sure what the issue is but your policy is correct - ignore IAM Policy Simulator in this case.
If you have access to AWS Support, I would create a support ticket there or post this same question as a potential bug on the AWS forums.
Evidence of a conflicting result, even though I have exactly recreated your scenario:
What I am trying to is using my IAM user udagram-xue-dev to assume the role of eksClusterRole. This is my policies configures:
This policy has been add to my IAM user:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::111111111111:role/eksClusterRole"
}
]
}
This trust policy has been added to my eskClusterRole:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111111111111:user/udagram-xue-dev",
"Service": "eks.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
but I still get this problem:
I have read a lot of relevant details about this assuming role problem, but I still can't figure out how to fix it. It seems that they all just need to add these policies, then it'll be OK.
According to your configuration, everything seems to be in place. However, there might be a different policy (permission boundary, service control policy, or another IAM policy applied to the user) that overrides the permissions.
You can test your policies and find out if there’s anything interfering with your permissions using the IAM Policy Simulator.
I'm trying to give a user the rights to create Roles (since I'm not providing rights to create Access Keys).
I have figured out a Policy to allow the user to create and assign Roles.
The issue I have is that right now, the user can create a role with the Policy of "AdministratorAccess" even though they are not Administrator. Is there a way to deny certain policies in the list of options?
Below is the policy done via the wizard provided.
Thanks,
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:CreateInstanceProfile",
"iam:UpdateAssumeRolePolicy",
"iam:ListRoleTags",
"iam:UntagRole",
"iam:PutRolePermissionsBoundary",
"iam:TagRole",
"iam:RemoveRoleFromInstanceProfile",
"iam:CreateRole",
"iam:AttachRolePolicy",
"iam:PutRolePolicy",
"iam:ListInstanceProfilesForRole",
"iam:PassRole",
"iam:DetachRolePolicy",
"iam:DeleteRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:ListRolePolicies",
"iam:ListPolicies",
"iam:GetRole",
"iam:ListRoles",
"iam:DeleteRole",
"iam:UpdateRoleDescription",
"iam:CreateServiceLinkedRole",
"iam:UpdateRole",
"iam:DeleteServiceLinkedRole",
"iam:GetRolePolicy"
],
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "true"
}
}
}
]
}
EDIT: 26/6/20
I tried to use Permission Boundaries as suggested, but perhaps my understanding is still insufficient. I made a new policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyAdmin",
"Effect": "Deny",
"Action": [
"iam:*"
],
"Resource": "*",
"Condition": {
"ArnEquals": {
"iam:PolicyArn": [
"arn:aws:iam::aws:policy/AdministratorAccess"
]
}
}
}
]
}
I would think that would mean Deny any/all iam actions when it concerns the AdministratorAccess Policy. However, the result is that all role assignments/creation are denied even when the policy being attached is NOT AdministratorAccess. However, if I setup a policy and add a Condition of ArnNotEquals the AdministratorAccess - then I seem to be able to do what I want(just using it as a policy, not as a Boundary)
Based on what I have seen, Permissions Boundary is probably the right way to go, but I cannot quite get it yet so I'm hesitant to mark it as "Correct Answer".
You can use AWS IAM Permissions Boundaries: Permissions Boundaries for IAM Entities - AWS Identity and Access Management
“A permissions boundary is an advanced feature for using a managed policy to set the maximum permissions that an identity-based policy can grant to an IAM entity. An entity's permissions boundary allows it to perform only the actions that are allowed by both its identity-based policies and its permissions boundaries.“
Here’s a step-by-step introduction on the AWS Security Blog: Delegate permission management to developers by using IAM permissions boundaries | AWS Security Blog
So using directions from John Rotenstein and finally realizing where I went wrong the way to get what I want is to add the following Permissions Boundary to the user:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "BoundaryAllowAllNotAdminAccess",
"Effect": "Allow",
"Action": "*",
"Resource": "*",
"Condition": {
"ArnNotEquals": {
"iam:PolicyArn": [
"arn:aws:iam::aws:policy/AdministratorAccess"
]
}
}
}
]
}
Where I went wrong was thinking that I need to Deny, but the Boundary is an AND restraint so I can allow all as long as it is not AdministratorAccess, then the other policies will give the actual actions/resources and AWS will allow as long as it doesn't use the AdministratorAccess.
I initially tried with all the json policies in the below link.
https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/iam-identity-based-access-control-cwl.html#customer-managed-policies-cwl
And i finally got a solution of giving "list, read, write" access to one specific loggroup for an IAM user by using below JSON policy. But it is able to see the list of other log groups as well. As per the below JSON policy i tired limiting the resource for listing as well. It didn't work.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"logs:GetLogRecord",
"logs:DescribeLogGroups"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"logs:Describe*",
"logs:FilterLogEvents",
"logs:GetLogEvents"
],
"Resource": "arn:aws:logs:us-east-1:XXXXXXXXXXXX:log-group:/aws/lambda/XXXX:log-stream:*"
}
]
}
But then i found the tagging as a solution and tried tagging the loggroup and user with same tag and tried below JSON policy. That didn't work either.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"logs:*"
],
"Effect": "Allow",
"Resource": "*",
"Condition": {
"StringLike": {
"logs:ResourceTag/Team": "Green"
}
}
}
]
}
Please can someone kindly suggest a way where i could give access to one specific IAM user for only one group to either, list&read or list,read&write. But that user should not be able to see the other log groups.
But it is able to see the list of other log groups as well
That's not something you can do typically within AWS. Generally IAM permissions can't affect on the result of an API action. It can't filter it to only show something in particular. This is one the reasons AWS recommends to isolate workloads by using different accounts, as API calls are only scoped to one account.
In this case, you can either not give access at all or give access to list everything.