Limit what kind of policies and roles an admin role can create in AWS

mikoni

12/4/23, 10:14 AM

Is there a way in AWS to limit what kind of roles and policies another role can create?

In my setup, I have two kinds of admin roles: AccountAdmin and InfraAdmin. The AccountAdmin one having more rights while the InfraAdmin having only the needed set of rights to run day to day operations.

Now I have a situation where the InfraAdmin role needs rights to create bundles where I have EC2 instance, RDS database and S3 bucket (slightly simplified description, so that we can focus on the main point). Together these form a logical single service and I have multiple of these bundles that should not be able to access other's RDS databases or S3 buckets. To allow EC2 instance to access its RDS database and S3 bucket, I'm creating instance profile, role and policies. Currently this requires me to grant rights to the InfraAdmin to create roles and policies and it kind of destroys the principle of least privilege and the split between AccountAdmin and InfraAdmin becomes pointless.

Is there a way to limit what kind of policies and roles InfraAdmin role can create so that it cannot be used for granting extra rights to itself or create new more powerful roles?

1 + 0

amazon-web-services

amazon-iam

Score:1

Server

Felix G

12/4/23, 1:39 PM

Yes, you can use AWS Organizations to set up a policy-based governance framework that allows you to set rules and policies that apply to all of the AWS accounts in your organization. This allows you to control which services and actions your InfraAdmin role can use, as well as restrict the policies and roles it can create.

To do this, you would first need to create an organizational unit (OU) for your InfraAdmin role, and then attach a service control policy (SCP) to that OU that specifies the services and actions that the InfraAdmin role is allowed to use. You can then use AWS Identity and Access Management (IAM) to define the policies and roles that the InfraAdmin role is allowed to create, and attach those policies to the InfraAdmin role.

For example, you could create an SCP that allows the InfraAdmin role to use only the EC2, RDS, and S3 services, and restrict the actions that it can perform on those services to only the ones that are necessary for creating and managing the bundles you described. You could then use IAM to create policies that allow the InfraAdmin role to create and manage instance profiles, roles, and policies for those services, and attach those policies to the InfraAdmin role. This would allow the InfraAdmin role to create the necessary resources for the bundles without giving it the ability to grant extra rights to itself or create new more powerful roles.

Overall, using AWS Organizations and IAM in this way allows you to set up a more fine-grained and secure access control system for your AWS accounts and resources.

+ 1

mikoni

1/12/24, 8:26 AM

Sorry for it taking a bit longer to vote up and approve. I was hoping to find an alternative approach that would not require use of AWS organizations (mainly because in my use case, I have no access to them). I think there is an alternative approach that is also possible, but I haven't had time to test it and anyway, your answer is definitely the preferred way of doing this.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Limit what kind of policies and roles an admin role can create in AWS

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.