Articles → AWS → Permission Boundary In AWS

Permission Boundary In AWS






Scenario


Picture showing the issue when permission boundary is not implemented
Click to Enlarge








Steps




  1. Create a user IAMOnlyUser with IAMFullAccess permission
  2. Create a user AdminAccess with AdministratorAccess permission by login using the credentials of IAMOnlyUser user
  3. Launch an EC2 instance using the AdminAccess user
  4. Create a new policy.
  5. Apply permission boundary to IAMOnlyUser user
  6. Delete the AdminAccess user and create a user with AdministratorAccess permission
  7. Launch an EC2 instance with AdminAccess user



Create A User “Iamonlyuser” With “Iamfullaccess” Permission




Picture showing creating the user Iamonlyuser
Click to Enlarge


Create A User “Adminaccess” With “Administratoraccess” Permission By Login Using The Credentials Of “Iamonlyuser” User




Picture showing creating the user Adminaccess
Click to Enlarge


Launch An EC2 Instance Using The “Adminaccess” User




Picture showing the user Adminaccess having access to EC2 dashboard
Click to Enlarge




Create A New Policy




{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "IAMAccess",
            "Effect": "Allow",
            "Action": "iam:*",
            "Resource": "*"
        },
        {
            "Sid": "DenyPermBoundaryIAMPolicyAlteration",
            "Effect": "Deny",
            "Action": [
                "iam:DeletePolicy",
                "iam:DeletePolicyVersion",
                "iam:CreatePolicyVersion",
                "iam:SetDefaultPolicyVersion"
            ],
            "Resource": [
                "arn:aws:iam::YourAccount_ID:policy/PermissionsBoundary"
            ]
        },
        {
            "Sid": "DenyRemovalOfPermBoundaryFromAnyUserOrRole",
            "Effect": "Deny",
            "Action": [
                "iam:DeleteUserPermissionsBoundary",
                "iam:DeleteRolePermissionsBoundary"
            ],
            "Resource": [
                "arn:aws:iam::YourAccount_ID:user/*",
                "arn:aws:iam::YourAccount_ID:role/*"
            ],
            "Condition": {
                "StringEquals": {
                    "iam:PermissionsBoundary": "arn:aws:iam::YourAccount_ID:policy/PermissionsBoundary"
                }
            }
        },
        {
            "Sid": "DenyAccessIfRequiredPermBoundaryIsNotBeingApplied",
            "Effect": "Deny",
            "Action": [
                "iam:PutUserPermissionsBoundary",
                "iam:PutRolePermissionsBoundary"
            ],
            "Resource": [
                "arn:aws:iam::YourAccount_ID:user/*",
                "arn:aws:iam::YourAccount_ID:role/*"
            ],
            "Condition": {
                "StringNotEquals": {
                    "iam:PermissionsBoundary": "arn:aws:iam::YourAccount_ID:policy/PermissionsBoundary"
                }
            }
        },
        {
            "Sid": "DenyUserAndRoleCreationWithOutPermBoundary",
            "Effect": "Deny",
            "Action": [
                "iam:CreateUser",
                "iam:CreateRole"
            ],
            "Resource": [
                "arn:aws:iam::YourAccount_ID:user/*",
                "arn:aws:iam::YourAccount_ID:role/*"
            ],
            "Condition": {
                "StringNotEquals": {
                    "iam:PermissionsBoundary": "arn:aws:iam::YourAccount_ID:policy/PermissionsBoundary"
                }
            }
        }
    ]
}


Picture showing creating a new policy for policy boundary
Click to Enlarge




Apply Permission Boundary To “Iamonlyuser” User




Picture showing the permission boundary section of the user module
Click to Enlarge



Picture showing adding the permissionboundary policy in the permission boundary of Iamonlyuser user
Click to Enlarge



Picture showing the permissionboundary policy added as a permission boundary
Click to Enlarge


Delete The “Adminaccess” User And Create A User With “Administratoraccess” Permission




Picture showing the error message when Iamonlyuser user is trying to create AdminAcess user
Click to Enlarge



Picture showing the success message when permission boundary is added to AdminAccess user
Click to Enlarge


Launch An EC2 Instance With “Adminaccess” User




Picture showing the API error message when AdminAccess user is accessing the EC2 dashboard
Click to Enlarge


Posted By  -  Karan Gupta
 
Posted On  -  Saturday, May 21, 2022

Query/Feedback


Your Email Id
 
Subject
 
Query/FeedbackCharacters remaining 250