Restricting role escalation in AWS iam permissions

Question

Is it possible to create an AWS role (with "iam:CreateRole" permissions) to prevent it having privilege escalation, and only allow it to create new roles with a specific set of permissions e.g: "s3:GetObject"?

I am not sure if PermissionsBoundary is what I am after something like (in terraform):

  statement {
    sid       = "AddRole"
    effect    = "Allow"
    actions   = ["iam:CreateRole", "s3:CreateBucket"]
    resources = ["arn:aws:iam::${var.cluster.aws_account_id}:role/*"]
    condition {
      test     = "StringEquals"
      values   = [aws_iam_policy.boundary_role_iam_policy.arn]
      variable = "iam:PermissionsBoundary"
    }
  }

where boundary_role_iam_policy is a role with just allow "s3:GetObject"?

Answer 1

@Eidt

Sorry, I misunderstood your question - yes, your permissions boundary attached to the user should have the maximum access, that you want to grant to the users, and condition that you pasted in the question.

---

Also, I will leave this piece because it is a way in which you can do the same.

It is possible to do it using SCP, and Permissions boundary.

• SCP

  • should prevent access to create roles without attached Permissions boundary
  • preventing the ability to read/edit/detach Permissions boundary (for everything beyond you)

• Permissions boundary Policy

  • as above - max permissions and conditional

Answer 2

Yes, a permission boundary is exactly what you need.

Add the following as a permission boundary of the role:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "iam:CreateUser"
            ],
            "Resource": "*"
        }
    ]
}