IAM policy allow creation of policies, but disallow changes of own account - amazon-web-services

For every project, we create two AWS accounts. One for development and staging and one for production. The developers have an IAM user in the root account and users assumed roles in the other accounts to access those.
I want to create a policy, which allows the developer to do nearly everything in the development account, including creating new policies and attaching those (for new resources, etc.), but the developer should not be able to modify his own role / attach new roles to himself.
Any ideas?

I'm facing the same issue I've already posted a question about that here (similar issue).
After a lot of research, I came to a conclusion: do not allow developers to create roles and policies.
Why?
I didn't find a way to answer my question allowing user creating roles only for resources and not for principals.
Even if I've found a solution for 1., there is a flaw: suppose developers can create roles for resources but not for principals and he (she) can create every policy he (she) wants. In this scenario, he (she) could create a policy for Lambdas and inside Lambdas, a script could be written to execute actions allowed by policies attached.
My final solution:
Create two groups called Developers and IAM in which IAM users can create any roles and policies, thus is trusted developers, and Developers can only attach policies whose path is services-roles, for instance.
Example a role attached to Developers group - allow users create everything except all iam actions except PassRole with path service-roles:
DevelopersIAMManagedPolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
Description: 'Developers.'
# Groups:
# - String
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action: iam:PassRole
Resource: 'arn:aws:iam::*:role/projects-roles/*'
- Effect: Allow
NotAction: iam:*
Resource: '*'
I'm open to new ideas, but this solution is the most secure I've reached.

Related

IAM PassRole restrictions

I need the permissions to pass an execution role to a Lambda when I create a CF.
So I have given the role used for creating the CF this:
Effect: Allow
Action:
- iam:PassRole
Resource:
- "myexecutionrole"
So now my CF role can pass the execution role to any resource. I want to restrict this. I want it only to be able to pass the role to the Lambda function it is for. So I have been looking into policy conditions, put here I only find solution for restricting the source of the call not the target.
Is that I want possible and how?
You could use iam:AssociatedResourceArn. From docs:
Specifies the ARN of the resource to which this role will be associated at the destination service.

How to avoid deletion of existing managed policy?

Below is the policy rule to create once but cannot delete the policy once created through cloudFormation. These are managed policies.
- Effect: Deny
Action:
- "iam:CreatePolicyVersion"
- "iam:DeletePolicy"
- "iam:DeletePolicyVersion"
- "iam:SetDefaultPolicyVersion"
Resource:
- !Sub "arn:aws:iam::${AWS::AccountId}:policy/some-permission-boundary"
- !Sub "arn:aws:iam::${AWS::AccountId}:policy/some-policy"
- Effect: Deny
Action:
- "iam:DeleteRolePermissionsBoundary"
Resource:
- "*"
But through AWS console, I went and deleted those two policies directly, by selecting the policy, Policy actions ---> delete
Later I deleted the stack that created those two policies.
How to avoid deletion of policies? Why above rule did not avoid deletion of policy? given any Principal
Policies only impact principals to which they are attached.
Creation of a policy that denies (or allows) any action doesn't actually do anything to deny (or allow) that action, unless the policy is subsequently attached to a principal (IAM user, group, or role).
You manage access in AWS by creating policies and attaching them to IAM identities (users, groups of users, or roles) or AWS resources. A policy is an object in AWS that, when associated with an identity or resource, defines their permissions. (emphasis added)
https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html
Since everything is initially denied by default, the fact that you cam delete the policy means your IAM user necessarily has been granted permission to delete the policy (more probably, you have permission to delete any policy) -- you already have a policy attached to your user that allows this. The best way prevent an action is to not grant permission to perform the action. You could also associate this policy with all users or a group of all users, then only the root user for your account could delete it -- but that's usually the wrong solution, because it's cancelling out a misconfiguration that granted the permission initially.

IAM policy - How to reference resources?

Below is the policy template created to restrict any Principal to do only below actions:
Resources:
MyPolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
Description: RulesToCreateUpdatePolicy
ManagedPolicyName: some-policy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- "iam:CreatePolicy"
- "iam:DeletePolicy"
- "iam:CreatePolicyVersion"
Resource:
- !Sub "arn:aws:iam::${AWS::AccountId}:policy/xyz-lambda-*"
on a policy resource that starts with name xyz-lambda-.
This policy is assigned to EC2 host, with a role.
Does this policy name(like xyz-lambda-*) supposed to be already exist in AWS, before uploading this policy in AWS?
No, when you are specifying resource in your policy document, that resource doesn't need to exists at all.
If you take into consideration this action
iam:CreatePolicy
together with your resource, what it does is that it grants necessary permissions to create policy with that particular name xyz-lambda-*. It wouldn't make much of sense to require existence of such resource if the policy is granting permissions to create it in the first place.
When you consider the delete action
iam:DeletePolicy
if the resource doesn't exist then it does nothing. Once you create policy with the appropriate name, you will be able to delete it but it doesn't matter whether the policy existed before this ManagedPolicy was created or after or you have deleted and recreated policy with such name any number of times.
Lastly, since you have stated that this policy is attached to EC2 role then it should work without errors. But I would still recommend to grant iam:ListPolicies permission for any resource (policy) discovery that could be performed by an application running on EC2 instance. If you don't allow this action in your policy, your application will not be able to list policies and you would have to design some error prone workaround based on guessing or a strict naming scheme.
Policy name is not important. Resources unique by ARN only. IAM Resources unique within AWS account an if u don't create this resource before it's ok

How do you prevent a Role from being associated with an EC2 without a specific tag?

I created an AWS IAM Role and it included the following
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Principal:
Service:
- "ec2.amazonaws.com"
Action:
- "sts:AssumeRole"
Condition:
StringEquals:
ec2:ResourceTag/AppCode: !Sub "${AppCode}"
I verified that my EC2 does contain tag AppCode and it had the value passed in to the CloudFormation.
After associating the Role with the EC2, I was not able to see the role when running 'aws configure list' on the EC2.
After removing the above condition it worked immediately! 'aws configure list' returned the correct results.
What is the correct why to prevent a Role from being associated with EC2 instances, unless they have a specific tag with a specific value?
Thanks
I'm not sure if what you describe is possible, but please keep exploring!
Your policy is saying "Allow the EC2 service to call AssumeRole if the has a particular tag".
The official way to control whether an EC2 instance can be assigned a role is to grant iam:PassRole to the IAM entity that is launching the instance.
If somebody does not have iam:PassRole, then they cannot specify a role when launching an instance. If you want them to be able to use a particular role, you can grant them iam:PassRole for a specific Role, which they can then use when launching an instance.
This method grants the IAM User/Group/Role the permission to select a Role, rather than controlling permissions based on the instance (that doesn't necessarily even exist yet).

AWS Managed Policy Vs Policy

Can someone explain to me the difference between an AWS Policy and an AWS Managed Policy in the context of Cloud Formation?
More specifically, I'm trying to define an auto scaling template where:
Each instance in an auto scale configuration is assigned an IAM Instance Role that has a policy.
The same policy is applied to the user when they try and access these instances.
I'm trying to keep duplication to a minimum and it seems like I may be able to achieve it via a Policy linked to a role, and group of users. The role can then be associated with EC2 Instance via instance profile and users can be added to the groups which in turn are assigned the policy.
Why and under what circumstances would one use a ManagedPolicy?
Thank you for your assistance.
EDIT: It seems like Role requires a policy document irrespective. So even having a separate policy won't really help? Or am I missing something?
AWS::IAM::Role only requires a trust policy. The Policy/Managed Policy can be defined separately.
The difference between AWS::IAM::ManagedPolicy and AWS::IAM::Policy is that AWS::IAM::ManagedPolicy does not require you to assign a Group, Role or User when defining it. AWS::IAM::Policy does. In your use case, you're probably fine using AWS::IAM::Policy.
If I may add, testing Policy creation using CDK v2.12.0, groups, users or roles are not required. iam.ManagedPolicy creates a policy you can share, iam.Policy is created as an inline policy.
new iam.Policy(this, 'testPolicy2', {
statements: policyDocs,
//groups: [s3UserGroup],
policyName: 'testPolicy2'
})
new iam.ManagedPolicy(this, 'testPolicy3', {
statements: policyDocs,
//groups: [s3UserGroup],
managedPolicyName: 'testPolicy3'
})