Join Log in
Score:1
Jamie Forrest avatar Server

AWS IAM: deny users from creating policies on specific resources

cn flag
Jamie Forrest

I want to be able to give my admin users the permission to create policies in IAM, but I want to make sure that they aren't able to create a policy that affects a specific resource.

To be more specific, these admin users are currently in a user group with a policy that gives them full S3 access except for a specific S3 bucket (in this case, it's a bucket that contains CloudTrail logs). They are also in another user group that gives them full access to IAM, which means it would be easy enough for them to create/edit this S3 policy to give themselves access to that bucket again. Is there a way to do what I'm trying to do, or perhaps a better way to set this up?

227
1 + 2
palvarez avatar
ki flag
palvarez
Are you by any chance using AWS Organizations?
0
Reply
Jamie Forrest avatar
cn flag
Jamie Forrest
Yes, we do use AWS Organizations.
0
Reply
Score:1
palvarez avatar Server
ki flag
palvarez

With AWS Organizations you can use Service Control Policies to deny access to services and resources. Considering you have a specific role or users that need access to your bucket you can except them of this deny. The SCP would look something like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DenyCloudtrailBucket",
            "Effect": "Deny",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::mybucket",
                "arn:aws:s3:::mybucket/*"
            ],
            "Condition": {
                "ArnNotLike": {
                    "aws:PrincipalArn": [
                        "arn:aws:iam::*:role/myrole",
                        "arn:aws:iam::*:user/myuser"
                    ]
                }
            }
        }
    ]
}

Here the docs on how to create SCPs: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_create.html

+ 2
Jamie Forrest avatar
cn flag
Jamie Forrest
But, couldn't a user who has full IAM access just remove this policy from themselves?
0
Reply
palvarez avatar
ki flag
palvarez
SCP is not an IAM policy, is part of Organizations. You can avoid them giving themselves access to organizations by having another SCP.
1
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.