AWS: deny users to create Role for Cross-Account Access

0
votes

I am administering one AWS account. Now one of my non-privileged users ask me to give him rights to create IAM Roles. I understand that IAM Roles usually best choice, but I afraid that they will be able to create "Role for Cross-Account Access" and allow someone else access to my AWS account.

This is possibly to give access only create "AWS Service Roles", but not "Role for Cross-Account Access" ?

1
amazon-web-servicesamazon-iam
As far as I know there is no policy to restrict the type of IAM roles a user who has access to IAM can create, although there is a "read-only" policy for IAM users on IAM. Alternatively, you could create a simple web application that would allow the creation of only a specific type of IAM user. The application itself would have full IAM access via API, but you would limit the scope of what the application could do. - jpschroeder
I am right understanding - give rights to users to create IAM Roles this is vulnerability? Maybe for me will be best do not give them permission at all (to IAM Roles)? - zombi_man
If it was my account, I sure wouldn't give them access to create IAM Roles. - jpschroeder
Ok, thank you. This is answer to my question ) - zombi_man

1 Answers

0
votes

You can allow using specific policy. In the example I allow use only role for EMR cluster:

{ "Effect": "Allow", "Action": [ "iam:AttachRolePolicy" ], "Resource": "*" }, { "Effect": "Deny", "Action": [ "iam:AttachRolePolicy" ], "NotResource": [ "arn:aws:iam::*:role/EMR_DefaultRole", "arn:aws:iam::*:role/EMR_EC2_DefaultRole" ] }, { "Effect": "Deny", "Action": [ "iam:AttachRolePolicy" ], "Resource": [ "*" ], "Condition": { "ArnNotEquals": { "iam:PolicyArn": [ "arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceRole", "arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceforEC2Role" ] } } } ] }