I want to create a IAM Role "deploy" in AWS, that is able to deploy lambda functions. The Role is supposed to create everything needed for the lambda functions, including the Execution Role.
So the "deploy" Role must be able to create Roles and add policies. To prevent permission Escalation, I thought permission boundaries would be a good Idea. So I would create a permission boundary policy, and prevent the "deploy" Role to create any Role without that permission boundary.
How that is done is described here.
Basically, any CreateRole action, that does not use the permission boundary, is denied. And any temparing with the permission boundary is also denied. This works by setting a condition like this (for details see the provided link):
"Condition": {
"StringEquals": {
"iam:PermissionsBoundary": "arn:aws:iam::123456789012:policy/MyPermissionBoundary"
}
}
}
But for my use case, what it comes down to preventing the "deploy" Role from using iam:Pass with any
Role, that has not have the permission boundary set. Otherwise the "deploy" Role could pass an Admin Role to the lambda function.
But as fas as I can see, I cannot set the "iam:PermissionsBoundary" condition for iam:PassRole.
Am I overseeing something? How can I get this to work?
Related
every time i try to create an environment from my cli it pop up this error
ERROR Unable to assign role. Please verify that you have permission to pass this role: aws-elasticbeanstalk-service-role.
and give me failed to launch environment
even though i setup the aws access key and secret access key and give the user the permissions of administrator
AWS has a strictly defined policy evaluation logic.
Deny evaluation – By default, all requests are denied. This is called an implicit deny. The AWS enforcement code evaluates all policies within the account that apply to the request. These include AWS Organizations SCPs, resource-based policies, identity-based policies, IAM permissions boundaries, and session policies. In all those policies, the enforcement code looks for a Deny statement that applies to the request. This is called an explicit deny. If the code finds even one explicit deny that applies, the code returns a final decision of Deny. If there is no explicit deny, the code continues.
As you can see, the first step checks for an explicit deny in all policies within the account that apply to the request. Although you have the admin permissions there could be Organizations SCPs, resource-based policies, IAM permissions boundaries, or another IAM policy attached to your IAM account or group that explicitly deny passing a role. If you have access just check them one by one. Or ask your administrator to do that.
GlueJobRunnerSession is not authorized to perform: glue:GetJob on resource
It is difficult to determine the issue without having more details about your specific scenario. Either not all permissions are correctly set, or there is another policy in place that overrides the permissions.
In order to troubleshoot this yourself, you can use the AWS IAM Policy Simulator to test and find out if the permissions are set and if there are conflicting policies interfering.
I am attaching few managed policies (existing) to IAM role (existing). I am attaching the policies to the role by aws_iam_role_policy_attachment.
resource "aws_iam_role_policy_attachment" "role_logscreate" {
role = data.aws_iam_role.qrm_role_ASM_access.name
policy_arn = "arn:aws:iam::${local.account_id}:policy/pB-CloudWatchLogsCreate"
}
I want to add a "guard condition" that attach the policy only if it is not already attached to the Role.
Is it possible in terraform.12?
Update #marcin: we are using a Teamcity pipeline for 1-click deployment of the terraform resources. most or the time we are removing the 'all-resources' and that time we de-attach these policies as well from the role. but some times the cherry-pick approach is used and IAM is not part of that. so, there is a possibility that IAM Role still have those policies and it is difficult for TC to detect these changes. so, I want to add the guard condition in my Terraform code. "Attach only if not already attached to IAMRole". hope, there is complete context and clarity why I want to add these guard conditions.
If a user in AWS is having AdministratorAccess policy attached, he has full AWS access for that account. But with permission boundaries attached to that user his access can be confined. For example say the user has permission boundaries set to AmazonDynamoDBFullAccess, then the full access is just confined to DynamoDB.
What is real benefit of above approach, one could have just removed the AdministratorAccess policy and attached AmazonDynamoDBFullAccess to the user to achieve the same restrictions/permissions.
Is there anything more to understand?
That is not not purpose of IAM Permission Boundaries, nor is it the way it operates.
From Permissions boundaries for IAM entities - AWS Identity and Access Management:
AWS supports permissions boundaries for IAM entities (users or roles). A permissions boundary is an advanced feature for using a managed policy to set the maximum permissions that an identity-based policy can grant to an IAM entity. An entity's permissions boundary allows it to perform only the actions that are allowed by both its identity-based policies and its permissions boundaries.
To explain via an example, let's say that a developer needs permission to create an IAM Role in their software development duties. This can be a very dangerous permission to assign because they could create a Role that has full Admin permissions, thereby granting themselves even more permission that desired.
To limit their abilities, a permission boundary could be added to the developer such that they are only able to create an IAM Role if the role they define is attached to a permission boundary that limits the permissions of the Role (eg so it can only be used to access S3 and DynamoDB, but not other services). It can be a little confusing, but think of it as a set of rules that must be attached to any permissions they give, so that they can't grant full permissions. It's a way to grant them permissions, but limits what permissions they can on-grant to other entities.
This concept is totally separate to assigning IAM managed policies that you mention in your question. In most circumstances, assigning an IAM managed policy is perfectly sufficient. Permissions boundaries only really apply when somebody has permission to create new IAM entities.
As per AWS documentation,
A user who wants to access a role in a different account must also
have permissions that are delegated from the user account
administrator. The administrator must attach a policy that allows the
user to call AssumeRole for the ARN of the role in the other account.
I understand this requirement. However, I am not sure as to why an 'AssumeRole' action still need to be specified again in the 'Trust Relationship' of the role. It makes sense to allow/restrict a Principal (using 'AssumeRole' action) to assume a specific role and also the role being assumed to trust the assuming Principal (in its 'Trust Relationship'), but not sure why the role itself has to specify 'AssumeRole' action in its Trust relationship. The roles are always meant to be assumable - isnt it? Or alternately, what is the significance of specifying 'AssumeRole' action in the 'Trust relationship' of a role?
I'm not an AWS Roles expert, but as far as I know, the Trust Relationship Policy Document makes sense for two main reasons:
A role can be assumed not only with sts:AssumeRole action, but also with sts:AssumeRoleWithSAML and sts:AssumeRoleWithWebIdentity (docs here).
As the name "Trust Relationship Policy Document" says, it's also a policy document. So instead of creating a different template for Trust Relationship, AWS create a single policy template and uses it in all cases - this way we only need to learn the policy template once (docs here).