๐๏ธPermission Boundary
El siguiente es un resumen de IAM Policies que demustran como puede ser aplicado un permissions Boundary al crear un IAM user.
Los Permissions Boundaries no otorgan permisos, mas bien limitan hasta donde puede llegar el acceso de un usuario en IAM para prevenir un "privilege escalation"
User Boundarie Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ServicesLimitViaBoundaries",
"Effect": "Allow",
"Action": [
"s3:*",
"cloudwatch:*",
"ec2:*"
],
"Resource": "*"
},
{
"Sid": "AllowIAMConsoleForCredentials",
"Effect": "Allow",
"Action": [
"iam:ListUsers","iam:GetAccountPasswordPolicy"
],
"Resource": "*"
},
{
"Sid": "AllowManageOwnPasswordAndAccessKeys",
"Effect": "Allow",
"Action": [
"iam:*AccessKey*",
"iam:ChangePassword",
"iam:GetUser",
"iam:*ServiceSpecificCredential*",
"iam:*SigningCertificate*"
],
"Resource": ["arn:aws:iam::*:user/${aws:username}"]
}
]
}La siguien seria el admin boundary policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CreateOrChangeOnlyWithBoundary",
"Effect": "Allow",
"Action": [
"iam:CreateUser",
"iam:DeleteUserPolicy",
"iam:AttachUserPolicy",
"iam:DetachUserPolicy",
"iam:PutUserPermissionsBoundary",
"iam:PutUserPolicy"
],
"Resource": "*",
"Condition": {"StringEquals":
{"iam:PermissionsBoundary": "arn:aws:iam::MANAGEMENTACCOUNTNUMBER:policy/a4luserboundary"}}
},
{
"Sid": "CloudWatchAndOtherIAMTasks",
"Effect": "Allow",
"Action": [
"cloudwatch:*",
"iam:GetUser",
"iam:ListUsers",
"iam:DeleteUser",
"iam:UpdateUser",
"iam:CreateAccessKey",
"iam:CreateLoginProfile",
"iam:GetAccountPasswordPolicy",
"iam:GetLoginProfile",
"iam:ListGroups",
"iam:ListGroupsForUser",
"iam:CreateGroup",
"iam:GetGroup",
"iam:DeleteGroup",
"iam:UpdateGroup",
"iam:CreatePolicy",
"iam:DeletePolicy",
"iam:DeletePolicyVersion",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetUserPolicy",
"iam:GetRolePolicy",
"iam:ListPolicies",
"iam:ListPolicyVersions",
"iam:ListEntitiesForPolicy",
"iam:ListUserPolicies",
"iam:ListAttachedUserPolicies",
"iam:ListRolePolicies",
"iam:ListAttachedRolePolicies",
"iam:SetDefaultPolicyVersion",
"iam:SimulatePrincipalPolicy",
"iam:SimulateCustomPolicy"
],
"NotResource": "arn:aws:iam::MANAGEMENTACCOUNTNUMBER:user/bob"
},
{
"Sid": "NoBoundaryPolicyEdit",
"Effect": "Deny",
"Action": [
"iam:CreatePolicyVersion",
"iam:DeletePolicy",
"iam:DeletePolicyVersion",
"iam:SetDefaultPolicyVersion"
],
"Resource": [
"arn:aws:iam::MANAGEMENTACCOUNTNUMBER:policy/a4luserboundary",
"arn:aws:iam::MANAGEMENTACCOUNTNUMBER:policy/a4ladminboundary"
]
},
{
"Sid": "NoBoundaryUserDelete",
"Effect": "Deny",
"Action": "iam:DeleteUserPermissionsBoundary",
"Resource": "*"
}
]
}Por ultimo, tenemos el IAM admin permissions policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "IAM",
"Effect": "Allow",
"Action": "iam:*",
"Resource": "*"
},
{
"Sid": "CloudWatchLimited",
"Effect": "Allow",
"Action": [
"cloudwatch:GetDashboard",
"cloudwatch:GetMetricData",
"cloudwatch:ListDashboards",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics"
],
"Resource": "*"
}
]
}Last updated