AWS \ Security \ Permissions Boundaries

9461 · August 12, 2023, 3:24pm

Hello,

Does the Permission Boundary act to prevent against an IAM user who would have the right to modify the identity based policy of the IAM group to which he belongs to ?

For example , a user is in charge of maintaining all network configuration of an AWS Account.
So we put this user in an IAM Group with has an Identity Based Policy like this one :

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "vpc:*"
            ],
            "Resource": "*"
        }
}

Let’s guess that this user modify its IAM Group’s Identity Base Policy (without permission) like this :

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "vpc:*",
                "ec2:*"
            ],
            "Resource": "*"
        }
}

Is it correct that if there is not a Permission Boundary , he would then get access to any actions of any EC2 instances of the AWS Account ?

But that if a Permission Boundary is set as followed, he would be still restricted to intervene only on VPC’s ?

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": "vpc:*",
    "Resource": "*"
  }
}

Thanks you
Have a good week end
Didier

8836 · August 13, 2023, 3:07pm

Hello Didier,

Yes, you are correct. In the scenario you described, without a permission boundary, the user would have the ability to modify the identity-based policy of the IAM group they belong to and potentially gain access to additional actions, such as ec2:*, which would grant them access to manage EC2 instances.

However, if a Permission Boundary is set for the IAM group, it acts as an additional layer of control and restricts the user’s permissions even if they modify the group’s identity-based policy.

9461 · August 13, 2023, 4:52pm

Hello Antoine,

thanks you for your confirmation

Didier