iam role trust policy behavior

0

Hi

aws docs mentioned that iam role trust policy should be treated as a resource based policy but in fact it doesn't .

regularly iam user could get a permission from his identity policy (resource level permission) lets say s3:getobject then he will be allowed to do that action unless an explicit deny exist regardless of the default implicit deny on bucket policy .

so in case of iam role trust policy , lets say : role "A" trust user "B" in the same account if another user "C" in the same account had "sts:assumerole" permission in his identity based policy as a resource level permission then he should be able to assume the role even if user "c" is not in the trust policy which does not happen .

the current behavior is more like an explicit deny for any principal not specified in the trust policy .

it is not the default/documented behavior of the resource based policy which should be an implicit deny .

any thoughts ?

thanks

1 Answer
1
Accepted Answer

The documentation has been update to account for this exception.

Role trust policies and KMS key policies are exceptions to this logic, because they must explicitly allow access for principals.

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-denyallow

profile pictureAWS
EXPERT
kentrad
answered 2 years ago
profile picture
EXPERT
reviewed 3 months ago
  • Actually I read that before but didn't notice , Thanks Alot

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions