Skip to content

Instantly share code, notes, and snippets.

@caylorme
Last active August 15, 2022 20:32
Show Gist options
  • Save caylorme/70c1dc1323218a5d69fc2842f7fdf70d to your computer and use it in GitHub Desktop.
Save caylorme/70c1dc1323218a5d69fc2842f7fdf70d to your computer and use it in GitHub Desktop.
Permissions Boundary example

This pull request creates a new resource FederatedRolePermissionsBoundary in LZConfig/templates/aws_baseline/aws-landing-zone-default-azure-roles.template

FederatedRolePermissionsBoundary is an IAM Policy that gets applied as a Permissions Boundary to all existing federated roles.

This policy has several statements:

AllowAll -- Allows all actions by default

DenyWriteToRoleWithoutBoundaryPolicy -- Denies the ability to write to any roles without this boundary policy attached

DenyWriteToThisPolicy -- Denies the ability to modify this policy

DenyDeletePermissionsBoundary -- Denies the ability to delete any permissions boundary policies

DenyWriteToUser -- Denies the ability to create or modify users

For information on the nature of permissions boundaries, please visit here:

https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html

For information on the evaluation logic of policies and how permissions boundaries fit in, please visit here:

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html

---
AWSTemplateFormatVersion: 2010-09-09
Description: Example Role with Permissions Boundaries
Resources:
###
# Federated Role Permissions Boundary
# Default allow all actions
# Explicitly deny writes to user resources
# Explicitly deny writes to roles where the boundary policy is not set to this policy
###
FederatedRolePermissionsBoundary:
Type: AWS::IAM::Policy
Properties:
PolicyName: "FederatedRolePermissionsBoundary"
Metadata:
cfn_nag:
rules_to_suppress:
- id: F4
reason: "This is a boundary policy and should allow for default all actions"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Sid: AllowAll
Effect: Allow
Action: "*"
Resource: "*"
- Sid: DenyWriteToRoleWithoutBoundaryPolicy
Effect: Deny
Action:
- iam:DetachRolePolicy
- iam:DeleteRolePolicy
- iam:PutRolePermissionsBoundary
- iam:CreateRole
- iam:AttachRolePolicy
Resource: "*"
Condition:
StringNotEquals:
"iam:PermissionsBoundary": !Sub "arn:aws:iam::${AWS::AccountId}:policy/FederatedRolePermissionsBoundary"
- Sid: DenyWriteToThisPolicy
Effect: Deny
Action:
- "iam:CreatePolicyVersion"
- "iam:DeletePolicy"
- "iam:DeletePolicyVersion"
- "iam:SetDefaultPolicyVersion"
Resource:
- !Sub "arn:aws:iam::${AWS::AccountId}:policy/FederatedRolePermissionsBoundary"
- Sid: DenyDeletePermissionsBoundary
Effect: Deny
Action:
- iam:DeleteRolePermissionsBoundary
- iam:DeleteUserPermissionsBoundary
Resource: "*"
- Sid: DenyWriteToUser
Effect: Deny
Action:
- iam:UpdateUser
- iam:PutUserPermissionsBoundary
- iam:AttachUserPolicy
- iam:DeleteUserPolicy
- iam:DeleteUser
- iam:DeleteUserPermissionsBoundary
- iam:CreateUser
- iam:TagUser
- iam:UntagUser
- iam:RemoveUserFromGroup
- iam:AddUserToGroup
- iam:PutUserPolicy
- iam:DetachUserPolicy
Resource:
- "arn:aws:iam::*:user/*"
- "arn:aws:iam::*:group/*"
###
# Administrator Role
# Federated with the SAML IDP
# Access to Everything
###
AdministratorRole:
Type: AWS::IAM::Role
Properties:
RoleName: AdministratorRole
PermissionsBoundary: !Ref FederatedRolePermissionsBoundary
Path: /
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AdministratorAccess
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment