Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Set Permissions Boundaries for IAM Identities

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that permissions boundaries are set for explicit Amazon IAM identities in order to control the maximum permissions that these can have. Permissions boundaries are IAM restrictions (similar to AWS Organizations Service Control Policies) that define the maximum allowed permissions for an IAM user or role available within your AWS cloud account. This feature allows others to perform tasks on your behalf within a specific boundary of permissions. As an IAM administrator, you can define one or more permissions boundaries using managed policies and allow another user in your organization to create a principal with this boundary. The trusted user can then attach a permissions policy to this principal. However, the effective permissions of the newly created principal are at the intersection of the permissions boundary and permissions policy, therefore the principal cannot exceed the boundary that you define. Specifically, you can grant another user permission to create IAM roles and assign permissions. Using permission boundary, you can ensure that those new IAM roles can only access certain actions and resources (e.g. launch EC2 instances) in a particular AWS region (e.g. Asia Pacific - Sydney region).

Security

As your organization grows, you may need to allow your trusted employees to configure and manage IAM permissions in order to help your organization to scale permission management and move workloads faster to AWS cloud. For example, you might need to grant a developer the ability to create and manage permissions for an IAM role required to run a web application on Amazon EC2. This ability is quite powerful and can be used inappropriately or accidentally to attach an administrator access policy in order to obtain full access to all resources within an AWS account. With permissions boundaries you can easily control the maximum permissions that your employees can grant to the IAM principals (i.e. users and roles) that they create and manage.

Audit

To determine if your Amazon IAM identities have permissions boundaries configured to control the maximum permissions that these can acquire, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon IAM console at https://console.aws.amazon.com/iam/.

03 In the navigation panel, under Access management, choose UsersorRoles, depending on the identity type that you want to examine. Note that the Permission Boundary feature can't be used with IAM groups, only with users and roles.

04 Click on the name (link) of the IAM user/role that you want to examine.

05 Select the Permissions tab and click on Permissions boundary to expand the section with the Permissions Boundary feature settings.

06 Check the Permissions boundary section for any assigned IAM policies. If there is no IAM policy configured as the permissions boundary and the following message is displayed: "No permissions boundary is set for this user/role.", the selected Amazon IAM identity does not have any permissions boundaries set.

07 Repeat steps no. 4 – 6 for each Amazon IAM identity that you want to check for permissions boundaries.

Using AWS CLI

01 Based on Amazon IAM identity type that you want to examine, perform one of the following sets of commands:

  1. For IAM users:
    • Run get-user command (OSX/Linux/UNIX) using the name of the Amazon IAM user that you want to examine as the identifier parameter, to describe the permissions boundary configuration information available for the selected IAM identity: 
      aws iam get-user
  --user-name cc-project5-developer
  --query "User.PermissionsBoundary"
    • If the get-user command output returns null, as shown in the example below, the selected Amazon IAM user does not have any permissions boundaries set: 
      null
  2. For IAM roles:
    • Run get-role command (OSX/Linux/UNIX) using the name of the Amazon IAM role that you want to examine as the identifier parameter, to describe the permissions boundary configuration metadata for the selected IAM identity: 
      aws iam get-role
  --role-name cc-project5-dev-role
  --query "Role.PermissionsBoundary"
    • If the get-role command output returns null, as shown in the example below, the selected Amazon IAM role does not have any permissions boundaries configured: 
      null

Remediation / Resolution

To set up permissions boundaries for your Amazon IAM identities in order to control the maximum permissions that these IAM entities can get, perform the following actions:

Note: A permissions boundary limits the maximum permissions, but does not grant access on its own. Permissions policies alone provide permission and can be limited by the permissions boundaries. The Amazon IAM identities presented as examples in this conformity rule have attached permissions policies that require limitations.

Using AWS CloudFormation

- For IAM users:

01 CloudFormation template (JSON): 

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Description": "Set Permissions Boundaries for IAM User",
	"Resources": {
		"IAMUser": {
			"Type": "AWS::IAM::User",
			"Properties": {
				"UserName": "cc-ec2-instance-manager",
				"Path": "/",
				"ManagedPolicyArns": [
					"arn:aws:iam::aws:policy/AmazonEC2FullAccess"
				],
				"LoginProfile": {
					"Password": "[password]",
					"PasswordResetRequired": true
				},
				"PermissionsBoundary": "arn:aws:iam::123456789012:policy/DenyAccessToProductionInstances"
			}
		}
	}
}

02 CloudFormation template (YAML): 

AWSTemplateFormatVersion: '2010-09-09'
	Description: Set Permissions Boundaries for IAM User
	Resources:
	IAMUser:
		Type: AWS::IAM::User
		Properties:
		UserName: cc-ec2-instance-manager
		Path: /
		ManagedPolicyArns:
			- arn:aws:iam::aws:policy/AmazonEC2FullAccess
		LoginProfile:
			Password: [password]
			PasswordResetRequired: true
		PermissionsBoundary: arn:aws:iam::123456789012:policy/DenyAccessToProductionInstances

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf): 

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}
	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_iam_user" "iam-user" {
	name                 = "cc-ec2-instance-manager"
	path                 =  "/"

	# Set Permissions Boundaries for IAM User
	permissions_boundary = "arn:aws:iam::123456789012:policy/DenyAccessToProductionInstances"

}

resource "aws_iam_user_policy_attachment" "iam-user-attachment" {
	user       = aws_iam_user.iam-user.name
	policy_arn = "arn:aws:iam::aws:policy/AmazonEC2FullAccess"
}

resource "aws_iam_user_login_profile" "user-login-profile" {
	user                    = aws_iam_user.iam-user.name
	password                = [password]
	password_reset_required = true
}

Using AWS CloudFormation

- For IAM roles:

01 CloudFormation template (JSON): 

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Resources": {
		"InstanceRole": {
			"Type": "AWS::IAM::Role",
			"Properties": {
				"RoleName": "cc-project5-iam-role",
				"Description": "Provide access to Amazon EC2 resources",
				"Path": "/",
				"AssumeRolePolicyDocument": {
					"Version": "2012-10-17",
					"Statement": [
						{
							"Effect": "Allow",
							"Principal": {
								"Service": [
									"ec2.amazonaws.com"
								]
							},
							"Action": [
								"sts:AssumeRole"
							]
						}
					]
				},
				"ManagedPolicyArns": [
					"arn:aws:iam::aws:policy/AmazonEC2FullAccess"
				],
				"PermissionsBoundary": "arn:aws:iam::123456789012:policy/DenyAccessToProductionInstances"
			}
		}
	}
}

02 CloudFormation template (YAML): 

AWSTemplateFormatVersion: '2010-09-09'
	Resources:
	InstanceRole:
		Type: AWS::IAM::Role
		Properties:
		RoleName: cc-project5-iam-role
		Description: Provide access to Amazon EC2 resources
		Path: /
		AssumeRolePolicyDocument:
			Version: '2012-10-17'
			Statement:
			- Effect: Allow
				Principal:
				Service:
					- ec2.amazonaws.com
				Action:
				- sts:AssumeRole
		ManagedPolicyArns:
			- arn:aws:iam::aws:policy/AmazonEC2FullAccess
		PermissionsBoundary: arn:aws:iam::123456789012:policy/DenyAccessToProductionInstances

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf): 

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}
	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_iam_role" "iam-role" {
	name = "cc-project5-iam-role"
	path = "/"

	assume_role_policy = <<EOF
	{
		"Version": "2012-10-17",
		"Statement": [
			{
				"Action": "sts:AssumeRole",
				"Principal": {
					"Service": "ec2.amazonaws.com"
				},
				"Effect": "Allow"
			}
		]
	}
	EOF

	managed_policy_arns  = [ "arn:aws:iam::aws:policy/AmazonEC2FullAccess" ]
	permissions_boundary = "arn:aws:iam::123456789012:policy/DenyAccessToProductionInstances"
	
}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon IAM console at https://console.aws.amazon.com/iam/.

03 In the navigation panel, under Access management, choose Users or Roles, depending on the identity type that you want to examine. Permissions boundaries can't be used with IAM users and roles only.

04 Click on the name (link) of the IAM user/role that you want to reconfigure.

05 Select the Permissions tab and click on Permissions boundary to expand the section with the Permissions Boundary feature settings.

06 Choose Set boundary to start the permissions boundary set up process for the selected IAM identity.

07 On the Set the permissions boundary on <user-name/role-name> page, select a managed policy (customer-managed or AWS-managed policy) to set as the permissions boundary for the selected IAM user/role, then choose Set boundary to apply the chosen permissions. Once the IAM policy selected as permissions boundary has been successfully attached, the following confirmation message should be returned by the IAM console: Permissions boundary <policy-name> has been set for <user-name/role-name>.

08 Repeat steps no. 4 – 7 to set up permissions boundaries for other Amazon IAM identities that require permissions limitations.

Using AWS CLI

01

  1. For IAM users:
    - To set permissions boundaries for a specific IAM user, run put-user-permissions-boundary command (OSX/Linux/UNIX) using the name of the user that you want to configure as the identifier parameter and the Amazon Resource Name (ARN) of the managed IAM policy that you want to set as permissions boundary, as value for the --permissions-boundary parameter (the command request does not produce an output): 
    aws iam put-user-permissions-boundary
  --user-name cc-project5-developer
  --permissions-boundary arn:aws:iam::123456789012:policy/iam-boundary-policy
  2. For IAM roles:
    - To set permissions boundaries for a specific IAM user, run put-role-permissions-boundary command (OSX/Linux/UNIX) using the name of the IAM role that you want to reconfigure as the identifier parameter and the ARN of the managed policy that you want to set as the role's permissions boundary, as value for the --permissions-boundary parameter (the command request does not return an output): 
    aws iam put-role-permissions-boundary
  --role-name cc-project5-dev-role
  --permissions-boundary arn:aws:iam::123456789012:policy/iam-boundary-policy

References

Publication date Jul 26, 2018

Related IAM rules