Reputation:
AWS IAM: How to prevent privilege elevation with IAM policies?
There is a policy attached to user/role which is allowed to create other policies and roles, but, for example, original role doesn't have permissions to do s3:PutObject. Is there any way I can prevent this role/user from creating another policy which allows s3:PutObject and elevating it's own permissions by that?
Upvotes: 0
Views: 620
Answers (1)
Reputation: 78653
If you grant users the ability to create policies and roles, then you trust them not to abuse it. Very few admins should have this ability.
The way to solve your case is for an uber-admin to create policies and roles, and for your user to be restricted to which policies/roles he can attach (see related article). You can also implement automation to validate the policies created by your uber-admins meet certain conditions.
Upvotes: 1
Related Questions
- Restricting role escalation in AWS iam permissions
- How to create an IAM user with full access except for admin
- AWS Deny Policy Role specific account
- IAM Access Key permissions override an Explicit Deny in an IAM role?
- Trying to give IAM user rights to create and assign roles, but limit the type of policies available
- IAM- Switch role for AWS access and policies limit
- Managing AWS IAM Pass Role Permissions
- AWS Policy Restrict Permission Based On Service
- AWS IAM Policy to restrict Read Acces on EC2 instances
- AWS IAM: How to restrict PowerUser permissions