With the new Organizations:CloseAccount permission in AWS IAM. I am trying to create a rôle which is only allowed to close account in a specific OU.
I tried many things in the Ressources field. But I can't find the correct way. It seems to only accept an organization ID and not ou ID.
To be more precise I have an account in the root/management account. I want to allow him to only close accounts in a specific OU freely but deny close accounts from other OU.
Thanks
EDIT : I add some precisions
In your AWS Organization create a Service Control Policy (SCP) that denies all users and roles to call that Organizations:CloseAccount action - except the one in the Condition (name-of-admin-role-to-allow).
Then attach it to the specific OU.
What is a SCP?
An SCP defines a guardrail, or sets limits, on the actions that the
account's administrator can delegate to the IAM users and roles in the
affected accounts. The administrator must still attach identity-based
or resource-based policies to IAM users or roles, or to the resources
in your accounts to actually grant permissions. The effective
permissions are the logical intersection between what is allowed by
the SCP and what is allowed by the IAM and resource-based policies.
Source
Example
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyAccountCloseWithException",
"Effect": "Deny",
"Action": [
"Organizations:CloseAccount",
"iam:AttachRolePolicy",
"iam:DeleteRole",
"iam:DeleteRolePermissionsBoundary",
"iam:DeleteRolePolicy",
"iam:DetachRolePolicy",
"iam:PutRolePermissionsBoundary",
"iam:PutRolePolicy",
"iam:UpdateAssumeRolePolicy",
"iam:UpdateRole",
"iam:UpdateRoleDescription"
],
"Resource": [
"arn:aws:iam::*:role/name-of-role-to-deny"
],
"Condition": {
"StringNotLike": {
"aws:PrincipalARN":"arn:aws:iam::*:role/name-of-admin-role-to-allow"
}
}
}
]
}
Related
Is it possible to allow a user to create policies that doesn't contain any IAM Write actions, such as iam:CreatePolicy or iam:AttachPolicyRole?
The reason I'm asking is that the company I work at has a single person which can create policies & roles for security reasons. But this is quickly becoming a bottleneck, and we would like to transfer the responsibility of creating roles & policies to more people in a secure fashion. One way I can think is to limit the actions a policy can have, and the most sensitive actions are IAM actions, but I don't know if this is possible.
IAM has an important feature called permissions boundaries:
A permissions boundary is an advanced feature for using a managed policy to set the maximum permissions that an identity-based policy can grant to an IAM entity. An entity's permissions boundary allows it to perform only the actions that are allowed by both its identity-based policies and its permissions boundaries.
A permissions boundary is designed to restrict permissions on IAM principals (IAM users and IAM roles). It enforces a centrally-managed boundary that can’t be exceeded, even if broader permissions are granted by some other policy attached to the IAM principal.
Permissions boundaries can also be used to restrict what permissions that IAM principal can grant when creating new IAM principals.
Here's an example of an IAM statement that you could add to an IAM user's policies that would allow that user to create new IAM users and roles but restrict the created roles and users to a specified permissions boundary:
"Statement": [
{
"Sid": "AllowIAMCreate",
"Effect": "Allow",
"Action": [ "iam:CreateUser", "iam:CreateRole" ],
"Resource": "*"
},
{
"Sid": "DenyIAMCreateWithoutBoundary",
"Effect": "Deny",
"Action": [ "iam:CreateUser", "iam:CreateRole" ],
"Resource": [
"arn:aws:iam::1234567890:user/*",
"arn:aws:iam::1234567890:role/*"
],
"Condition": {
"StringNotEquals": {
"iam":PermissionsBoundary": "arn:aws:iam::1234567890:policy/DevBoundary"
}
}
}
]
Here's a good introductory video: Prevent privilege escalation with AWS IAM permission boundaries
yes, you can create customer managed policies.by just a simply adding a permission in that policy.
I created some SQS queues as a root user. - Now when I like to restrict access via policies it does not seem to work. - Even with a test policy like this
{
"Version": "2008-10-17",
"Id": "PolicyDenyTest",
"Statement": [
{
"Sid": "DenyIt",
"Effect": "Deny",
"Principal": "*",
"Action": [
"sqs:DeleteMessage",
"sqs:ReceiveMessage",
"sqs:SendMessage"
],
"Resource": "arn:aws:sqs:us-west-2:xxxxxxxxxx:TST"
}
]
}
I can still send/retrieve/delete messages from the queue from my local machine. - Are policies only valid when creating queues with an IAM user?
The credentials of the account owner allow full access to all resources in the account. You cannot use IAM policies to explicitly deny the root user access to resources. You can only use an AWS Organizations service control policy (SCP) to limit the permissions of the root user. Because of this, we recommend that you create an IAM user with administrator permissions to use for everyday AWS tasks and lock away the access keys for the root user.
https://docs.aws.amazon.com/general/latest/gr/root-vs-iam.html
The root key is all-powerful key that can be used to recover everything even if you mistakenly deny all access to all your resources. This is a well thought-out decision that is explained in the linked doc
I am checking the steps of setting up IAM auth in RDS: https://aws.amazon.com/premiumsupport/knowledge-center/users-connect-rds-iam/ And one of the steps is to attach the IAM role with proper permission: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.IAMPolicy.html
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"rds-db:connect"
],
"Resource": [
"arn:aws:rds-db:us-east-2:1234567890:dbuser:db-ABCDEFGHIJKL01234/db_user"
]
}
]
}
The resource follows this format:
arn:aws:rds-db:region:account-id:dbuser:DbiResourceId/db-user-name
If I understand correctly, as long as I know someone's account-id, DbiResourceId and db-user-name (or maybe db-user-name as I can use wildcard?), then I am able to connect to that DB instance, right?
This sounds insecure. Did I miss anything?
No this would not be possible. The only want to interact with this resource would be to assume a role in the target account.
You can use an IAM role to allow someone (a trusted principal) in a different account to access resources in your account. Roles are the primary way to grant cross-account access. However, with some AWS services, you can attach a policy directly to a resource (instead of using a role as a proxy). To learn the difference between roles and resource-based policies for cross-account access, see How IAM Roles Differ from Resource-based Policies in the IAM User Guide
I am new to AWS IAM and I am learning to do a security audit for AWS.
For a specific user in AWS the JSON permissions policy looks like this (Account no changed of course)
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": [
"arn:aws:iam::111111111111:role/APP-NonProd-BC",
"arn:aws:iam::111111111112:role/APP-nonProd-Admins",
"arn:aws:iam::123456789011:role/APP-nonProd-AdminAccess-Role",
"arn:aws:iam::111111111111:role/App-NonProd-S3Ops",
"arn:aws:iam::111111111111:role/APY-nonProd-EC2Admin"
]
}
}
My question is - Where I can find the permissions for each of the resources. Means, for APP-nonProd-BC resource : what kind of permissions apply?
For APP-nonprod-AdminAccess-Role : is it really have Admin Access or its just named as AdminAccess and where I Can find the permissions definitions ?
I searched in permissions but not able to find relevent for each of the resources "App-nonProd-BC" or App-nonprod-adminaccess-role" etc. Kindly help.
These are rules to allow the User to assume these roles. Look within the IAM roles defined and you should be able to see the associated permissions. Permissions can be given to roles, and then user allocated to the roles, so that you can change all the permissions at once and simplify the permission process.
Use case: In our application we need to give iam : putUserPolicy permissions to IAM entities. That is trivial. We can assign the policy mentioned below to the IAM entity to which we want to give iam : putUserPolicy permission
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"iam : putUserPolicy"
],
"Resource":"*"
}
]
}
Let's say we have another requirement and assign putUserPolicy to IAM user U1. This means that now U1 can assign ANY policy to ANY IAM user. The second "ANY" can be avoided by changing "Resource":"*" to "Resource":"user-arn", but how do we deal with the first ANY?
Is there a way to give "iam : putUserPolicy" permission such that putting only "iam : CreateUser" permission is allowed? Or perhaps only "iam : CreateUser" is blocked and putting rest all policies is allowed?
I went through the AWS documentation and I found conditions kind of helpful but I could not find any IAM service-specific keys and values though I did find some for EC2 and SNS.
As an example we can assign the following policy:
{
"Version":"2012-10-17",
"Statement":[{
"Effect":"Allow",
"Action":["s3:ListBucket"],
"Resource":"*",
"Condition":{"StringNotEquals":["s3:prefix":"arn:aws:s3:::BUCKET-NAME/home/"]}
}
]
}
which gives permissions to all other S3 folders and buckets except the home folder in a particular bucket.
Can we do something like this?
{
"Version":"2012-10-17",
"Statement":[{
"Effect":"Allow",
"Action":["iam:PutUserPolicy"],
"Resource":"*",
"Condition":{"StringNotEquals":["iam:policy-contains":"iam:CreateUser"]}
}
]
}
AWS has just introduced Managed Policies for AWS Identity & Access Management, which provide a fresh approach to sharing and maintaining IAM policies across IAM entities, notably also including Delegating permissions management, see Controlling Access to Managed Policies:
Managed policies give you precise control over how your users can manage policies and manage permissions for others. You can separately control who can create, update, and delete policies, and who can attach and detach policies to and from principal entities (users, groups, and roles). You can also control which policies a user can attach or detach, and to and from which entities. [emphasis mine]
A typical scenario is that you give permissions to an account administrator to create, update, and delete policies. Then, you give permissions to a team leader or other limited administrator to attach and detach these policies [...].
Section Controlling Permissions for Attaching and Detaching Managed Policies provides an Example policy that allows attaching only specific managed policies to only specific groups or roles, which conceptually allows you to achieve what you are looking for:
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": [
"iam:AttachGroupPolicy",
"iam:AttachRolePolicy"
],
"Resource": [
"arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:group/TEAM-A/*",
"arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:role/TEAM-A/*"
],
"Condition": {"ArnLike":
{"iam:PolicyArn": "arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:policy/TEAM-A/*"}
}
}
}