Articles → AWS → Permission Boundary In AWS

Permission Boundary In AWS






Scenario


Picture showing the issue when permission boundary is not implemented









Steps




  1. Create a user IAMOnlyUser with IAMFullAccess permission
  2. Create a user AdminAccess with AdministratorAccess permission by login using the credentials of IAMOnlyUser user
  3. Launch an EC2 instance using the AdminAccess user
  4. Create a new policy.
  5. Apply permission boundary to IAMOnlyUser user
  6. Delete the AdminAccess user and create a user with AdministratorAccess permission
  7. Launch an EC2 instance with AdminAccess user



Create A User “Iamonlyuser” With “Iamfullaccess” Permission




Picture showing creating the user Iamonlyuser



Create A User “Adminaccess” With “Administratoraccess” Permission By Login Using The Credentials Of “Iamonlyuser” User




Picture showing creating the user Adminaccess



Launch An EC2 Instance Using The “Adminaccess” User




Picture showing the user Adminaccess having access to EC2 dashboard





Create A New Policy




{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "IAMAccess",
            "Effect": "Allow",
            "Action": "iam:*",
            "Resource": "*"
        },
        {
            "Sid": "DenyPermBoundaryIAMPolicyAlteration",
            "Effect": "Deny",
            "Action": [
                "iam:DeletePolicy",
                "iam:DeletePolicyVersion",
                "iam:CreatePolicyVersion",
                "iam:SetDefaultPolicyVersion"
            ],
            "Resource": [
                "arn:aws:iam::YourAccount_ID:policy/PermissionsBoundary"
            ]
        },
        {
            "Sid": "DenyRemovalOfPermBoundaryFromAnyUserOrRole",
            "Effect": "Deny",
            "Action": [
                "iam:DeleteUserPermissionsBoundary",
                "iam:DeleteRolePermissionsBoundary"
            ],
            "Resource": [
                "arn:aws:iam::YourAccount_ID:user/*",
                "arn:aws:iam::YourAccount_ID:role/*"
            ],
            "Condition": {
                "StringEquals": {
                    "iam:PermissionsBoundary": "arn:aws:iam::YourAccount_ID:policy/PermissionsBoundary"
                }
            }
        },
        {
            "Sid": "DenyAccessIfRequiredPermBoundaryIsNotBeingApplied",
            "Effect": "Deny",
            "Action": [
                "iam:PutUserPermissionsBoundary",
                "iam:PutRolePermissionsBoundary"
            ],
            "Resource": [
                "arn:aws:iam::YourAccount_ID:user/*",
                "arn:aws:iam::YourAccount_ID:role/*"
            ],
            "Condition": {
                "StringNotEquals": {
                    "iam:PermissionsBoundary": "arn:aws:iam::YourAccount_ID:policy/PermissionsBoundary"
                }
            }
        },
        {
            "Sid": "DenyUserAndRoleCreationWithOutPermBoundary",
            "Effect": "Deny",
            "Action": [
                "iam:CreateUser",
                "iam:CreateRole"
            ],
            "Resource": [
                "arn:aws:iam::YourAccount_ID:user/*",
                "arn:aws:iam::YourAccount_ID:role/*"
            ],
            "Condition": {
                "StringNotEquals": {
                    "iam:PermissionsBoundary": "arn:aws:iam::YourAccount_ID:policy/PermissionsBoundary"
                }
            }
        }
    ]
}


Picture showing creating a new policy for policy boundary





Apply Permission Boundary To “Iamonlyuser” User




Picture showing the permission boundary section of the user module




Picture showing adding the permissionboundary policy in the permission boundary of Iamonlyuser user




Picture showing the permissionboundary policy added as a permission boundary



Delete The “Adminaccess” User And Create A User With “Administratoraccess” Permission




Picture showing the error message when Iamonlyuser user is trying to create AdminAcess user




Picture showing the success message when permission boundary is added to AdminAccess user



Launch An EC2 Instance With “Adminaccess” User




Picture showing the API error message when AdminAccess user is accessing the EC2 dashboard



Posted By  -  Karan Gupta
 
Posted On  -  Saturday, May 21, 2022

Query/Feedback


Your Email Id
 
Subject
 
Query/FeedbackCharacters remaining 250