can we restrict policies of role in child aws account to be used by only organization aws account

0
votes

I have organization root aws account named cloud. below is the policy attached to it.

{
    "Version": "2012-10-17",
    "Statement": {
        "Effect": "Allow",
        "Action": "sts:AssumeRole",
        "Resource": [
            "arn:aws:iam::XXXXXXXXX:role/Account-accessROle"

        ]

    }
}

I have role Accountaccessrole created in child accounts. this role have trust relationship with organization account such that only cloud user can assume this role. it's trust relationship:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::{ROOTACCOUNT}:user/cloud"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

its attached policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "EC2:*",
            "Resource": "*",

            }
        }
    ]
}

this is sorted. but the users from child account (XXXXX) can use this role in lambda to do something....I want to restrict it....no one from child account should do any thing with this role...how to restrict this??

tried adding the condition for policy in child account roles..but could not find any specific

1
amazon-web-servicesamazon-iam

1 Answers

0
votes

If you are showing correct trust policy then users can't pass this role to a Lambda function because there is no trust between Lambda service and your role.

Second things is that users in your child account (or any account for that matter) do not have rights to assume any role by default (they do not have right to do anything by default) which means that someone granted them that privilege.

Easy solution would be to remove this privilege from them. If that is not feasible due to amount of work it would require then you can simple create IAM policy which denies sts:AssumeRole for that particular resource (the IAM role that you want to restrict) and apply this role to a group where you can place all your users. This will however not prevent root user of the child account (or any user with permissions to IAM service) from bypassing this restriction.

Another option is to deny the above mentioned action in SCP and apply that SCP to the child account. You can either modify your current SCP if possible or you can create new one and apply it directly to the child account (note that you can apply multiple SCPs to an account/OU and explicit deny will overrule any existing allow statements).