This didn't work previously as users of this federated role couldn't
AssumeRole. Adding it into the permission boundary doesn't constrain
what rights the user has once they've assumed a role.
As my original goal was to prevent a user from assuming a local role
in the infosec-prod account, this NotResource clause solves that.
The user can still assume every role in a foreign AWS account if that
role delegates trust to the infosec-prod AWS account. There's no normal
case where this would happen and if a foreign AWS account did delegate
those rights, they get what they ask for.
This didn't work previously as users of this federated role couldn't AssumeRole. Adding it into the permission boundary doesn't constrain what rights the user has once they've assumed a role.
As my original goal was to prevent a user from assuming a local role in the infosec-prod account, this NotResource clause solves that.
The user can still assume every role in a foreign AWS account if that role delegates trust to the infosec-prod AWS account. There's no normal case where this would happen and if a foreign AWS account did delegate those rights, they get what they ask for.