How can I use permissions boundaries to limit the scope of IAM users and roles and prevent privilege escalation?

Last updated: 2020-09-11

How can I create a permissions boundary policy to restrict AWS Identity and Access Management (IAM) admin access and prevent privilege escalation?

Resolution

Use the following example IAM policy to provide these restrictions:

  • Any IAM principal created by IAM admins can have full access to AWS resources. The full access to AWS resources depends upon the identity-based policies, as permissions boundaries don't provide permissions on their own.
  • The policy restricts IAM principals from accessing AWS Billing and Cost Management related services.
  • IAM principals can't alter the permissions boundary to allow their own permissions to access restricted services.
  • IAM admins can't create IAM principals with more privileges than they already have.
  • The IAM principals created by IAM admins can't create IAM principals with more permissions than IAM admins.

Save this policy as a managed policy named ScopePermissions. Replace YourAccount_ID with your account ID.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowAdminAccess",
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*"
        },
        {
            "Sid": "DenyAccessToCostAndBilling",
            "Effect": "Deny",
            "Action": [
                "account:*",
                "aws-portal:*",
                "savingsplans:*",
                "cur:*",
                "ce:*"
            ],
            "Resource": "*"
        },
        {
            "Sid": "DenyPermBoundaryIAMPolicyAlteration",
            "Effect": "Deny",
            "Action": [
                "iam:DeletePolicy",
                "iam:DeletePolicyVersion",
                "iam:CreatePolicyVersion",
                "iam:SetDefaultPolicyVersion"
            ],
            "Resource": [
                "arn:aws:iam::YourAccount_ID:policy/ScopePermissions"
            ]
        },
        {
            "Sid": "DenyRemovalOfPermBoundaryFromAnyUserOrRole",
            "Effect": "Deny",
            "Action": [
                "iam:DeleteUserPermissionsBoundary",
                "iam:DeleteRolePermissionsBoundary"
            ],
            "Resource": [
                "arn:aws:iam::YourAccount_ID:user/*",
                "arn:aws:iam::YourAccount_ID:role/*"
            ],
            "Condition": {
                "StringEquals": {
                    "iam:PermissionsBoundary": "arn:aws:iam::YourAccount_ID:policy/ScopePermissions"
                }
            }
        },
        {
            "Sid": "DenyAccessIfRequiredPermBoundaryIsNotBeingApplied",
            "Effect": "Deny",
            "Action": [
                "iam:PutUserPermissionsBoundary",
                "iam:PutRolePermissionsBoundary"
            ],
            "Resource": [
                "arn:aws:iam::YourAccount_ID:user/*",
                "arn:aws:iam::YourAccount_ID:role/*"
            ],
            "Condition": {
                "StringNotEquals": {
                    "iam:PermissionsBoundary": "arn:aws:iam::YourAccount_ID:policy/ScopePermissions"
                }
            }
        },
        {
            "Sid": "DenyUserAndRoleCreationWithOutPermBoundary",
            "Effect": "Deny",
            "Action": [
                "iam:CreateUser",
                "iam:CreateRole"
            ],
            "Resource": [
                "arn:aws:iam::YourAccount_ID:user/*",
                "arn:aws:iam::YourAccount_ID:role/*"
            ],
            "Condition": {
                "StringNotEquals": {
                    "iam:PermissionsBoundary": "arn:aws:iam::YourAccount_ID:policy/ScopePermissions"
                }
            }
        }
    ]
}

To test this policy:

1.    Create a new IAM user named Bob.

2.    Attach the AdministratorAccess policy directly to Bob and attach ScopePermissions as a permissions boundary.

3.    Log in to the AWS Management Console as Bob. Then, try to:

  • Access the AWS Billing and Cost Management service Cost Explorer.
  • Delete the permissions boundary from Bob.
  • Create new IAM users and roles without permissions boundaries.
  • Create an IAM user named Alice with enforced permissions boundary, and then attach the AdministratorAccess policy as identity-based policy to Alice.

4.    Log in to the AWS Management Console as Alice and try to:

The permissions boundary makes sure that:

  • Bob can't create new users without attaching the permissions boundary ScopePermissions.
  • IAM users and roles created by Bob have the same or fewer permissions as Bob.
  • Bob and Alice can't change the IAM policy sourcing the permissions boundary, such as deleting the default version of the policy.
  • Bob and Alice can't change or remove the enforced permissions boundary from itself or from other users.
  • The permissions boundary denies access to restricted services.
  • Alice exhibits the same permissions as Bob, preventing privilege escalation. If Alice creates a new IAM user, the new user doesn't have more permissions than Bob. This permissions boundary makes sure that no IAM principals are created without the permissions boundary, preventing privilege escalation.

Did this article help?


Do you need billing or technical support?