Permissions Boundary example

README.md

This pull request creates a new resource FederatedRolePermissionsBoundary in LZConfig/templates/aws_baseline/aws-landing-zone-default-azure-roles.template

FederatedRolePermissionsBoundary is an IAM Policy that gets applied as a Permissions Boundary to all existing federated roles.

This policy has several statements:

AllowAll -- Allows all actions by default

DenyWriteToRoleWithoutBoundaryPolicy -- Denies the ability to write to any roles without this boundary policy attached

DenyWriteToThisPolicy -- Denies the ability to modify this policy

DenyDeletePermissionsBoundary -- Denies the ability to delete any permissions boundary policies

DenyWriteToUser -- Denies the ability to create or modify users

For information on the nature of permissions boundaries, please visit here:

https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html

For information on the evaluation logic of policies and how permissions boundaries fit in, please visit here:

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html

role-with-boundaries.yml

---
AWSTemplateFormatVersion: 2010-09-09
Description: Example Role with Permissions Boundaries

Resources:

  ###
  # Federated Role Permissions Boundary
  # Default allow all actions
  # Explicitly deny writes to user resources
  # Explicitly deny writes to roles where the boundary policy is not set to this policy
  ###
  FederatedRolePermissionsBoundary:
    Type: AWS::IAM::Policy
    Properties: 
      PolicyName: "FederatedRolePermissionsBoundary"
      Metadata:
        cfn_nag:
          rules_to_suppress:
            - id: F4
              reason: "This is a boundary policy and should allow for default all actions"
      PolicyDocument: 
        Version: "2012-10-17"
        Statement:
          - Sid: AllowAll
            Effect: Allow
            Action: "*"
            Resource: "*"
          - Sid: DenyWriteToRoleWithoutBoundaryPolicy
            Effect: Deny
            Action:
            - iam:DetachRolePolicy
            - iam:DeleteRolePolicy
            - iam:PutRolePermissionsBoundary
            - iam:CreateRole
            - iam:AttachRolePolicy
            Resource: "*"
            Condition:
              StringNotEquals:
                "iam:PermissionsBoundary": !Sub "arn:aws:iam::${AWS::AccountId}:policy/FederatedRolePermissionsBoundary"
          - Sid: DenyWriteToThisPolicy
            Effect: Deny
            Action:
              - "iam:CreatePolicyVersion"
              - "iam:DeletePolicy"
              - "iam:DeletePolicyVersion"
              - "iam:SetDefaultPolicyVersion"
            Resource:
              - !Sub "arn:aws:iam::${AWS::AccountId}:policy/FederatedRolePermissionsBoundary"
          - Sid: DenyDeletePermissionsBoundary
              Effect: Deny
              Action:
                - iam:DeleteRolePermissionsBoundary
                - iam:DeleteUserPermissionsBoundary
              Resource: "*"
          - Sid: DenyWriteToUser
            Effect: Deny
            Action:
              - iam:UpdateUser
              - iam:PutUserPermissionsBoundary
              - iam:AttachUserPolicy
              - iam:DeleteUserPolicy
              - iam:DeleteUser
              - iam:DeleteUserPermissionsBoundary
              - iam:CreateUser
              - iam:TagUser
              - iam:UntagUser
              - iam:RemoveUserFromGroup
              - iam:AddUserToGroup
              - iam:PutUserPolicy
              - iam:DetachUserPolicy
            Resource:
              - "arn:aws:iam::*:user/*"
              - "arn:aws:iam::*:group/*"
              
  ###
  # Administrator Role
  # Federated with the SAML IDP
  # Access to Everything
  ###
  AdministratorRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: AdministratorRole
      PermissionsBoundary: !Ref FederatedRolePermissionsBoundary
      Path: /
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/AdministratorAccess