Meta permissions around creating roles in AWS IAM?

1
votes

Is there a way to create meta permissions when creating roles in AWS IAM? i.e. this user has permission to create roles, but those roles can only do X, Y and Z.

My use case is that I want a user to be able to create a role and attach it to a lambda function so the lambda can do certain things, e.g. read a file from S3.

But I want to restrict what permissions the roles can have to a certain set, i.e. I don't want them to be able to add permissions to the role that allows them to delete all S3 buckets in the account from within the lambda function for example.

Is something like possible/supported?

Thanks!

2
amazon-web-servicesamazon-iam

2 Answers

2
votes

Yes, it is through permissions boundaries:

A permissions boundary is an advanced feature for using a managed policy to set the maximum permissions that an identity-based policy can grant to an IAM entity.

This is rather complex use of IAM, thus you would have to go through some tutorials (one provided in AWS link given) on how to use them.

2
votes

AWS allows you to define permission boundaries in order to limit the permissions that can be applied to AWS IAM entities, like roles and users, but also to resources.

For example: If a role is restricted by a permission boundary that only allows read access to certain S3 buckets, giving the role full permissions will still result in it only being allowed to read.

In fact, this feature is often used in case where admin users should be able to manage permissions without being able to apply more privileges than a pre-defined set.