Allow only a particular Principal ARN from same account in trust policy

0

The below works, but AWS console complains. Overly permissive trust policy exists in your trust relationships Broad access: Principals that include a wildcard (*, ?) can be overly permissive.

The reason the principalARN is not in the AWS Principal section but in the condition is because of the self trust. See, https://aws.amazon.com/blogs/security/announcing-an-update-to-iam-role-trust-policy-behavior/. I am creating the Role and attaching the trust policy via cloud formation and it won't let me add it's own ARN in Principal AWS section even before it is created.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "ArnEquals": {
                    "aws:PrincipalArn": "arn:aws:iam::<ACCOUNT_ID>:role/RoleName"
                }
            }
        }
    ]
}

So I am trying to figure out a way without wildcard.

Using root or account in the AWS principal instead as below is not working. That is, the access is denied for that particular principal arn

"Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::111122223333:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
    "ArnEquals": {
      "aws:PrincipalArn": "arn:aws:iam::111122223333:role/ExampleCorpRole"
    }
  }
    }
  ]
}```


Other solution that also didn't work. The access is denied for that particular principal arn.

```{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Principal": {
                "AWS": "*"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "ArnNotEquals": {
                    "aws:PrincipalArn": "arn:aws:iam::<ACCOUNT_ID>:role/RoleName"
                }
            }
        }
    ]
}```
asked 4 months ago250 views
1 Answer
0

I believe the reason your second policy variation with the root principal isn't working is because of the special set of rules that apply to just two types of resource-based policies in AWS, one being these IAM role trust policies (also known as assume role policies) and the other being KMS key policies. The rules are different from those that apply to all other resource-based policies in AWS.

I think the second variation should work, if you additionally grant the corresponding sts:AssumeRole permission in the identity-based policy of the role. You can avoid the self-referencing problem in CFN for the identity-based policy by declaring the policy as an AWS::IAM::ManagedPolicy and attaching it to the role (with the Roles property of AWS::IAM::ManagedPolicy), rather than declaring the role as having the policy attached to it (with the Policies property of AWS::IAM::Role).

EXPERT
Leo K
answered 4 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions