search

aws-samples / aws-iam-identity-center-extensions

This solution is intended for enterprises that need a streamlined way of managing user access to their AWS accounts. Using this solution, your identity and access management teams can extend AWS SSO functionality by automating common access management and governance use cases
MIT License
65 stars 24 forks source link

Restricting creating Permission Sets without attaching the Permission Boundary for the same. #115

Open aritraplaygroundtech opened 1 year ago

aritraplaygroundtech commented 1 year ago

I have a use case from a bigger enterprise, they are currently adopting AWS SSO with AzureAD integration. In the setup, currently account users or roles can create permissionsets with administrator access without adding Permission boundary.

The Permission Boundary policy is created for the AWS account. While manually adding the permission sets from the console and creating a new permission set, it works smoothly. Creating the permission sets without attaching permission boundary works as well. But, to be able to restrict creating the permissionsets does not seem to work by adding a Deny policy on the IAM role/user

{
            "Sid": "DenyCreatePermissionSetWithoutBoundary",
            "Effect": "Deny",
            "Action": [
                "sso:AttachManagedPolicyToPermissionSet",
                "sso:CreateAccountAssignment",
                "sso:CreatePermissionSet",
                "sso:DeleteAccountAssignment",
                "sso:DeleteInlinePolicyFromPermissionSet",
                "sso:DeletePermissionSet",
                "sso:DetachManagedPolicyFromPermissionSet",
                "sso:ProvisionPermissionSet",
                "sso:PutInlinePolicyToPermissionSet",
                "sso:UpdatePermissionSet"
            ],
            "Resource": "*",
            "Condition": {
                "StringNotEquals": {
                    "iam:PermissionsBoundary": "ARN of the PB"
                }
            }
        }

It seems the condition block is not getting evaluated for the above policy. Its either restricting the permission set overall or not restricting at all.

Is there any way to restrict creating the permission sets without adding Permission boundary?

mdgm88 commented 6 months ago

Being able to restrict creation, update etc. of permission sets depending on whether a Permissions Boundary is attached would be a great improvement.

iam:PermissionsBoundary is a condition for IAM roles, not for SSO Permission Sets.