How to avoid deletion of existing managed policy? - amazon-web-services

Below is the policy rule to create once but cannot delete the policy once created through cloudFormation. These are managed policies.
- Effect: Deny
Action:
- "iam:CreatePolicyVersion"
- "iam:DeletePolicy"
- "iam:DeletePolicyVersion"
- "iam:SetDefaultPolicyVersion"
Resource:
- !Sub "arn:aws:iam::${AWS::AccountId}:policy/some-permission-boundary"
- !Sub "arn:aws:iam::${AWS::AccountId}:policy/some-policy"
- Effect: Deny
Action:
- "iam:DeleteRolePermissionsBoundary"
Resource:
- "*"
But through AWS console, I went and deleted those two policies directly, by selecting the policy, Policy actions ---> delete
Later I deleted the stack that created those two policies.
How to avoid deletion of policies? Why above rule did not avoid deletion of policy? given any Principal

Policies only impact principals to which they are attached.
Creation of a policy that denies (or allows) any action doesn't actually do anything to deny (or allow) that action, unless the policy is subsequently attached to a principal (IAM user, group, or role).
You manage access in AWS by creating policies and attaching them to IAM identities (users, groups of users, or roles) or AWS resources. A policy is an object in AWS that, when associated with an identity or resource, defines their permissions. (emphasis added)
https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html
Since everything is initially denied by default, the fact that you cam delete the policy means your IAM user necessarily has been granted permission to delete the policy (more probably, you have permission to delete any policy) -- you already have a policy attached to your user that allows this. The best way prevent an action is to not grant permission to perform the action. You could also associate this policy with all users or a group of all users, then only the root user for your account could delete it -- but that's usually the wrong solution, because it's cancelling out a misconfiguration that granted the permission initially.

Related

IAM PassRole restrictions

I need the permissions to pass an execution role to a Lambda when I create a CF.
So I have given the role used for creating the CF this:
Effect: Allow
Action:
- iam:PassRole
Resource:
- "myexecutionrole"
So now my CF role can pass the execution role to any resource. I want to restrict this. I want it only to be able to pass the role to the Lambda function it is for. So I have been looking into policy conditions, put here I only find solution for restricting the source of the call not the target.
Is that I want possible and how?
You could use iam:AssociatedResourceArn. From docs:
Specifies the ARN of the resource to which this role will be associated at the destination service.

Do IAM roles by default have access to resources , for which root account has access?

I am new to AWS and trying to understand IAM. I have a doubt which goes like this. for example there is a s3 bucket in account A and in it's resource policy another AWS account B (root user) is given permission for a certain set of actions. Now there are certain roles which are also present in account B. so if someone assumes those roles, will they also have access to that s3 bucket in account A or the Arn of that role needs to be explicitly mentioned in the resource policy of bucket even though it's root account already has access to it ?
When you want to provide access cross-accounts, that is - access to a resource in one account to a principal (in this example, a role) from another account - granting the access on the resource policy is not enough - and you also have to give access to that principal in a IAM policy in its account. When you place the root user of an account in a resource based policy - that indicates that access may be granted to any principal within that account (using a IAM policy on that account)
So, to answer your question - if the root user of account B is a principal to which access is granted in the bucket policy - you don’t have to indicate the ARN of any specific role - However, you do need to assign access to the role in a IAM policy in account B so assuming it would grant access to the bucket (I’m assuming there’s no mechanism denying the access of course)
When a user assumes a role, the user temporarily gives up his or her original permissions in exchange for those granted by the role. So to answer your question, in order for the bucket to be accessible to the role assumed by the root account (or any principle really), the ARN of the role needs to be explicitly mentioned in the bucket policy.

IAM policy - How to reference resources?

Below is the policy template created to restrict any Principal to do only below actions:
Resources:
MyPolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
Description: RulesToCreateUpdatePolicy
ManagedPolicyName: some-policy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- "iam:CreatePolicy"
- "iam:DeletePolicy"
- "iam:CreatePolicyVersion"
Resource:
- !Sub "arn:aws:iam::${AWS::AccountId}:policy/xyz-lambda-*"
on a policy resource that starts with name xyz-lambda-.
This policy is assigned to EC2 host, with a role.
Does this policy name(like xyz-lambda-*) supposed to be already exist in AWS, before uploading this policy in AWS?
No, when you are specifying resource in your policy document, that resource doesn't need to exists at all.
If you take into consideration this action
iam:CreatePolicy
together with your resource, what it does is that it grants necessary permissions to create policy with that particular name xyz-lambda-*. It wouldn't make much of sense to require existence of such resource if the policy is granting permissions to create it in the first place.
When you consider the delete action
iam:DeletePolicy
if the resource doesn't exist then it does nothing. Once you create policy with the appropriate name, you will be able to delete it but it doesn't matter whether the policy existed before this ManagedPolicy was created or after or you have deleted and recreated policy with such name any number of times.
Lastly, since you have stated that this policy is attached to EC2 role then it should work without errors. But I would still recommend to grant iam:ListPolicies permission for any resource (policy) discovery that could be performed by an application running on EC2 instance. If you don't allow this action in your policy, your application will not be able to list policies and you would have to design some error prone workaround based on guessing or a strict naming scheme.
Policy name is not important. Resources unique by ARN only. IAM Resources unique within AWS account an if u don't create this resource before it's ok

IAM policy allow creation of policies, but disallow changes of own account

For every project, we create two AWS accounts. One for development and staging and one for production. The developers have an IAM user in the root account and users assumed roles in the other accounts to access those.
I want to create a policy, which allows the developer to do nearly everything in the development account, including creating new policies and attaching those (for new resources, etc.), but the developer should not be able to modify his own role / attach new roles to himself.
Any ideas?
I'm facing the same issue I've already posted a question about that here (similar issue).
After a lot of research, I came to a conclusion: do not allow developers to create roles and policies.
Why?
I didn't find a way to answer my question allowing user creating roles only for resources and not for principals.
Even if I've found a solution for 1., there is a flaw: suppose developers can create roles for resources but not for principals and he (she) can create every policy he (she) wants. In this scenario, he (she) could create a policy for Lambdas and inside Lambdas, a script could be written to execute actions allowed by policies attached.
My final solution:
Create two groups called Developers and IAM in which IAM users can create any roles and policies, thus is trusted developers, and Developers can only attach policies whose path is services-roles, for instance.
Example a role attached to Developers group - allow users create everything except all iam actions except PassRole with path service-roles:
DevelopersIAMManagedPolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
Description: 'Developers.'
# Groups:
# - String
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action: iam:PassRole
Resource: 'arn:aws:iam::*:role/projects-roles/*'
- Effect: Allow
NotAction: iam:*
Resource: '*'
I'm open to new ideas, but this solution is the most secure I've reached.

AWS Managed Policy Vs Policy

Can someone explain to me the difference between an AWS Policy and an AWS Managed Policy in the context of Cloud Formation?
More specifically, I'm trying to define an auto scaling template where:
Each instance in an auto scale configuration is assigned an IAM Instance Role that has a policy.
The same policy is applied to the user when they try and access these instances.
I'm trying to keep duplication to a minimum and it seems like I may be able to achieve it via a Policy linked to a role, and group of users. The role can then be associated with EC2 Instance via instance profile and users can be added to the groups which in turn are assigned the policy.
Why and under what circumstances would one use a ManagedPolicy?
Thank you for your assistance.
EDIT: It seems like Role requires a policy document irrespective. So even having a separate policy won't really help? Or am I missing something?
AWS::IAM::Role only requires a trust policy. The Policy/Managed Policy can be defined separately.
The difference between AWS::IAM::ManagedPolicy and AWS::IAM::Policy is that AWS::IAM::ManagedPolicy does not require you to assign a Group, Role or User when defining it. AWS::IAM::Policy does. In your use case, you're probably fine using AWS::IAM::Policy.
If I may add, testing Policy creation using CDK v2.12.0, groups, users or roles are not required. iam.ManagedPolicy creates a policy you can share, iam.Policy is created as an inline policy.
new iam.Policy(this, 'testPolicy2', {
statements: policyDocs,
//groups: [s3UserGroup],
policyName: 'testPolicy2'
})
new iam.ManagedPolicy(this, 'testPolicy3', {
statements: policyDocs,
//groups: [s3UserGroup],
managedPolicyName: 'testPolicy3'
})