Reputation: 36583
AWS IAM user role or policy self contained
I'd like to create a user in IAM that can basically do anything (create, modify, delete) to resources that are created by that user itself.
This would include creation of other roles and policies...but again only such ones that would allow controlling resources created by the parent user itself.
The purpose is to be able to create a CloudFormation template that can be run by a non admin user but still create all resources required (including things like instance profiles and lambda execution roles). All such resources could then only be managed by the owning user, thus allowing for autonomy and isolation.
I have a feeling this could be accomplished with conditions in the policy document, but not sure exactly how.
Upvotes: 2
Views: 606
Answers (1)
Reputation: 1977
This is by no means perfect solution, and I'm not sure if that is what you need, but I recently did something similar and this is how I solved it:
We have a role that has AmazonElasticMapReduceFullAccess and Cloudformation read-only policies (managed by amazon) and one additional custom policy with coloudformation:DeleteStack permission (for deleting the EMR cluster resources).
You can restrict IAM policies on resource level. For example, the custom policy for deleting stacks looks like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudformation:DeleteStack"
],
"Resource": "arn:aws:cloudformation:*:*:stack/EMRCluster*"
}
]
}
The way it works is that when the user needs an EMR cluster, they assume the role and create a stack named EMRCluster<date>-<UUID> and when they are done they remove the cluster resources using Cloudformation. This is, strictly speaking, not really necessary, since the user already has the EMR full access and can remove the resources (not only his) from EMR web console or via boto3 EMR API... It just makes things easier and allows the user to just do a single call to Cloudformation instead of managing EMR directly. It may look a bit funny to create and delete clusters with Cloudformation instead of directly, but it is much easier to manage a single JSON template than your custom configuration...
If you don't like that your user should have the entire EMR full access permission (quite a lot), I suggest that you play around with the EMR full access policy to allow user to create only certain resources and restrict removing resources in similar manner. Maybe you can give the user only a permission to call Cloudformation with certain template instead of that? I'm not sure if that would work without other permissions though...
Additionally, you can set VisibleToAllUsers=False in your template (see the docs), so only the user that created it should be able to manage the cluster.
Upvotes: 1
Related Questions
- What is exactly "Assume" a role in AWS?
- IAM tag policy with condition to prevent resource creation
- IAM Role limit sts:AssumeRole to one AWS Lambda function
- AWS Elasticsearch Service IAM Role based Access Policy
- Cannot create only IAM policy with cloudformation
- Creating an IAM policy attached to a user restricting user from creating custom managed policy with some actions
- Amazon IAM policy: restrict user to create group/role only if one of the attached policy is BaseDeny
- AWS IAM Policy to allow user to create IAM User with specific Policy/Roles
- Least privilege AWS IAM policy for cloudformation