IAM permissions boundary is an advanced feature for using a managed policy to set the maximum permissions that an identity-based policy can grant to an IAM entity – read more about Permissions boundary on AWS Documentation page
Watch this aws reinvent video to get familiar with IAM permissions boundary concept , start from 30 mins to go straight into the permissions boundary topic.
IAM Permissions Boundary:
I am going to take a real word scenario and show how Permissions boundary can be helpful and provide terraform code to replicate the usecase.
As an aws administrator you have created an IAM Role with below permissions and this role can be either assumed by a user, or used by build tool or a associated to a cli user account.
actions = [
"iam:CreateRole",
"iam:UpdateRole",
"iam:AttachRolePolicy",
"iam:PutRolePolicy",
"iam:DetachRolePolicy"
]
resources = [
"arn:aws:iam::accountidxxx:role/role_prefix*"
]
These permission allow you to create a new role as long as the role prefix matches the provided “role_prefix” variable value
lot of times you need these permissions for either to a CLI Developer role or a console user for tasks such as creating and deploying a Lambda functions.
However there is a problem with the above set of permissions, imagine if you assign these permissions to a role and a user assumes this role and created a new role with broader set of permissions , this is possible since there is boundary ( restrictions on policy) .
Now lets look at the same example with boundary permissions .
Boundary permissions – create this below policy with name MY_BOUNDARY_POLICY
This boundary policy restricts role’s access to limited set of resources such as sns , cloudwatch lambda and s3 for example.
#Boundary permissions, these are the restrictions / boundaries.
statement {
sid = "RegionBoundaries"
effect = "Allow"
actions = [
"sns:*",
"cloudwatch:*",
"lambda:*",
"s3:*"
]
resources = ["*"]
condition {
test = "StringEquals"
variable = "aws:RequestedRegion"
values = ["us-east-1"]
}
And now lets re create the developers policy again this time with boundary policy attached.
It is important to note that when you use a policy to set the permissions boundary for a user/role, it limits the user’s permissions but does not provide permissions on its own.
actions = [
"iam:CreateRole",
"iam:UpdateRole",
"iam:AttachRolePolicy",
"iam:PutRolePolicy",
"iam:DetachRolePolicy"
]
resources = [
"arn:aws:iam::accountidxxx:role/role_prefix*"
]
condition {
test = "StringEquals"
variable = "iam:PermissionsBoundary"
values = ["arn:aws:iam::acountidxxx:policy/MY_BOUNDARY_POLICY"]
}
This condition does two things
- Enforces you to add the boundary permissions every time you create or update a role and you will not be able to create a role without adding boundary permission.
- Adds boundary around the new role that is created, which restricts the role to the resources listed in the boundary policy. meaning your new role will have permissions on s3, cloudwatch, and sns and lambda.
Also take a look a look at this article on Lambda comparing performance of Java and python . apple to apple comparison.