IAM Permissions Boundaries
So we have reached so far in this IAM Series.
AWS supports permissions boundaries for IAM entities (users or roles). A permissions boundary is an advanced feature for using a managed policy to set the maximum permissions that an identity-based policy can grant to an IAM entity.
An entity’s permissions boundary allows it to perform only the actions that are allowed by both its identity-based policies and its permissions boundaries.
Lets understand this with an example.
we have a user Linda and she is not a good user and she actually has a permissions policy assigned to her that gives her full access to IAM.
However, she doesn’t have any other permissions but she can do whatever she wants in IAM. But let’s see how Linda might be able to get around that restriction. She can create a user in IAM and let’s call this X user and then she can apply the administrator access permissions policy to that particular user account. So Linda is now able to get full administrative privileges by logging in as the account she just created. So that’s not a good situation .
We can avoid these kind of situation using permission boundaries. The boundary ensures that any users that are created by Linda have the same or fewer permissions. So she cannot create a user account that has more permissions than she does.
To apply permission boundary we have to create permission Boundary policy in AWS. you see the permission boundary policy below.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "IAMAccess",
"Effect": "Allow",
"Action": "iam:*",
"Resource": "*"
},
{
"Sid": "DenyPermBoundaryIAMPolicyAlteration",
"Effect": "Deny",
"Action": [
"iam:DeletePolicy",
"iam:DeletePolicyVersion",
"iam:CreatePolicyVersion",
"iam:SetDefaultPolicyVersion"
],
"Resource": [
"arn:aws:iam::Your_Account:policy/PermissionsBoundary"
]
},
{
"Sid": "DenyRemovalOfPermBoundaryFromAnyUserOrRole",
"Effect": "Deny",
"Action": [
"iam:DeleteUserPermissionsBoundary",
"iam:DeleteRolePermissionsBoundary"
],
"Resource": [
"arn:aws:iam::Your_Account:user/*",
"arn:aws:iam::Your_Account:role/*"
],
"Condition": {
"StringEquals": {
"iam:PermissionsBoundary": "arn:aws:iam::Your_Account:policy/PermissionsBoundary"
}
}
},
{
"Sid": "DenyAccessIfRequiredPermBoundaryIsNotBeingApplied",
"Effect": "Deny",
"Action": [
"iam:PutUserPermissionsBoundary",
"iam:PutRolePermissionsBoundary"
],
"Resource": [
"arn:aws:iam::Your_Account:user/*",
"arn:aws:iam::Your_Account:role/*"
],
"Condition": {
"StringNotEquals": {
"iam:PermissionsBoundary": "arn:aws:iam::Your_Account:policy/PermissionsBoundary"
}
}
},
{
"Sid": "DenyUserAndRoleCreationWithOutPermBoundary",
"Effect": "Deny",
"Action": [
"iam:CreateUser",
"iam:CreateRole"
],
"Resource": [
"arn:aws:iam::Your_Account:user/*",
"arn:aws:iam::Your_Account:role/*"
],
"Condition": {
"StringNotEquals": {
"iam:PermissionsBoundary": "arn:aws:iam::Your_Account:policy/PermissionsBoundary"
}
}
}
]
}Then we can attach this PermissionsBoundary to Linda’s account along with IAM full policy.
In this way she will be able to create user but with only with permission as her or below.
So in simple terms if a user/group have a permission but you want to restrict a certain part of it we can do this using permission Boundary.
So that’s all in this part. happy Learning !!
