By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Restricting IAM CreateRole to disallow trust policies with external AWS accounts

0

Let's say an organization has a policy that denies the CreateRole action for most users. However, this restriction hinders rapid development as it blocks users from using the console wizard's create role features for various AWS services.

My goal is to allow users to create IAM roles using the console wizard, but restrict them from creating roles with trust policies that include external AWS account numbers or IAM users/roles from different accounts. The trust policies should only allow resources within the current AWS account. (Any other restrictions I should consider?)

I have come up with an IAM policy that uses the StringNotLike condition operator on the aws:PrincipalARN condition key. Here's the IAM policy I have in mind:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iam:CreateRole",
      "Resource": "*",
      "Condition": {
        "StringNotLike": {
          "aws:PrincipalARN": "arn:aws:iam::*:root"
        }
      }
    }
  ]
}

And then I would add an SCP in AWS Organizations to only allow CreateRole (with the above restrictions) in development accounts.

I am concerned that this approach might not cover all cases, especially when the trust policy includes an AWS IAM user ARN from a different account. Is this the best approach for achieving my goal, or is there a better way to restrict CreateRole action to trust policies containing only the current AWS account's resources?

Topics
Security, Identity, & ComplianceManagement & Governance
Tags
Security, Identity, & ComplianceAWS Identity and Access ManagementAWS Management ConsoleAWS Account ManagementIAM Policies
Language
English
AWS
yann_stoneman
asked a year ago627 views
2 Answers
3
Accepted Answer

Here may be one possible solutions that may work. Granting a user permissions to pass a role to an AWS service in the AWS IAM Documentation.

This grants Users permissions to create service roles in order to launch as EC2 instance. I am curious if it will be effected differently for services launched through the Launch Wizard. Please reply and follow up if you continue to have issues. I'm certain there is more than one way to accomplish this task, using a combination of permission boundaries, SCP's, or Control Tower Guardrails. This was the first solution that came to mind.

Granting a user permissions to pass a role to an AWS service

Example 1

Suppose you want to grant a user the ability to pass any of an approved set of roles to the Amazon EC2 service upon launching an instance. You need three elements:

  • An IAM permissions policy attached to the role that determines what the role can do. Scope permissions to only the actions that the role must perform, and to only the resources that the role needs for those actions. You can use an AWS managed or customer-created IAM permissions policy.
{
    "Version": "2012-10-17",
    "Statement": {
        "Effect": "Allow",
        "Action": [ "A list of the permissions the role is allowed to use" ],
        "Resource": [ "A list of the resources the role is allowed to access" ]
    }
}
  • A trust policy for the role that allows the service to assume the role. For example, you could attach the following trust policy to the role with the UpdateAssumeRolePolicy action. This trust policy allows Amazon EC2 to use the role and the permissions attached to the role.
{
    "Version": "2012-10-17",
    "Statement": {
        "Sid": "TrustPolicyStatementThatAllowsEC2ServiceToAssumeTheAttachedRole",
        "Effect": "Allow",
        "Principal": { "Service": "ec2.amazonaws.com" },
       "Action": "sts:AssumeRole"
    }
}
  • An IAM permissions policy attached to the IAM user that allows the user to pass only those approved roles. You usually add iam:GetRole to iam:PassRole so the user can get the details of the role to be passed. In this example, the user can pass only roles that exist in the specified account with names beginning with EC2-roles-for-XYZ-:
{
    "Version": "2012-10-17",
    "Statement": [{
        "Effect": "Allow",
        "Action": [
            "iam:GetRole",
            "iam:PassRole"
        ],
        "Resource": "arn:aws:iam::account-id:role/EC2-roles-for-XYZ-*"
    }]
}

Now the user can start an Amazon EC2 instance with an assigned role. Applications running on the instance can access temporary credentials for the role through the instance profile metadata. The permissions policies attached to the role determine what the instance can do.

AWS
abemusa
answered a year ago
profile picture
EXPERT
Giovanni Lauria
reviewed a month ago
0

Service Control Policies cannot be used to control the contents of trust policy documents or any other kind of resource-based policy. At this time there is no AWS-native method for preventing a user from creating a trust policy based on its content. See the link below to learn more about the difference between identity-based and resource-based policies.

https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_identity-vs-resource.html

Customers who want to perform custom safety checks on policies often use a deployment pipeline that tests the policy with IAM Access Analyzer Policy Validator in addition to their custom safety checks instead of allowing users to make policy changes directly.

https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-policy-validation.html

profile pictureAWS
Don Edwards
answered a year ago
profile pictureAWS
EXPERT
kentrad
reviewed a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content