Open menu
-->

Set Permissions Boundaries for IAM Identities

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: Medium (should be achieved)

Ensure that permissions boundaries are set for explicit Amazon IAM identities in order to control the maximum permissions that these can have. Permissions boundaries are IAM restrictions (similar to Organization Service Control Policies) that define the maximum allowed permissions for an IAM user or role available within your AWS account. Also, this feature allows others to perform tasks on your behalf within a specific boundary of permissions. As an IAM administrator, you can define one or more permissions boundaries using managed policies and allow another user in your organization to create a principal with this boundary. The trusted user can then attach a permissions policy to this principal. However, the effective permissions of the newly created principal are at the intersection of the permissions boundary and permissions policy, therefore the principal cannot exceed the boundary that you defined. Specifically, you can grant another user permission to create IAM roles and assign permissions. Using permission boundary, you can ensure that those new IAM roles can only access certain actions and resources (e.g. launch EC2 instances) in a particular AWS region (e.g. Asia Pacific - Sydney region).

This rule resolution is part of the Cloud Conformity Security Package

As your organization grows, you may have to allow your trusted employees to configure and manage IAM permissions in order to help your organization to scale permission management and move workloads faster to AWS cloud. For example, you might need to grant a developer the ability to create and manage permissions for an IAM role required to run a web application on Amazon EC2. This ability is quite powerful and can be used inappropriately or accidentally to attach an administrator access policy to obtain full access to all resources and services in an AWS account. With permissions boundaries you can easily control the maximum permissions that your employees can grant to the IAM principals (i.e. users and roles) that they create and manage.

Audit

To determine if the necessary IAM identities within your AWS account have set permissions boundaries to control the maximum permissions that these can acquire, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, choose Users or Roles, depending on the IAM identity type that you want to check. Note that the permission boundary feature cannot be used with IAM groups, only with users and roles.

04 Click on the name (link) of the IAM user/group that you want to examine.

05 Select Permissions tab from the dashboard bottom panel and click Permissions boundary to expand the section with the feature settings. Check the Permissions boundary section for any assigned permissions policies. If there are no permissions policies currently attached and the following message is displayed: "No permissions boundary is set for this user/role. This user/role can perform all actions that are allowed by the user's/role's permission policies.", the selected IAM identity does not have any permissions boundaries set.

06 Repeat steps no. 3 – 5 to check other necessary AWS IAM users/roles for permissions boundaries.

Using AWS CLI

01 Based on Amazon IAM identity type that you want to verify, perform one of the following CLI commands:

  1. For AWS IAM users:
    • Run get-user command (OSX/Linux/UNIX) using the name of the IAM user that you want to examine as identifier, to describe the permissions boundary configuration metadata for the selected IAM identity:
      aws iam get-user
      	--user-name cc-project5-developer
      	--query "User.PermissionsBoundary"
      
    • If the command output returns null, as shown in the example below, the selected AWS IAM user does not have any permissions boundaries set:
      null
      
  2. For AWS IAM roles:
  3. Run get-role command (OSX/Linux/UNIX) using the name of the IAM role that you want to examine as identifier, to list the permissions boundary configuration metadata for the selected IAM identity:
    aws iam get-role
    	--role-name cc-ec2-developer-role
    	--query "Role.PermissionsBoundary"
    
  4. If the command output returns null, as shown in the example below, the selected AWS IAM role does not have any permissions boundaries configured:
    null
    

Remediation / Resolution

To set up permissions boundaries to specific IAM identities within your AWS account in order to control the maximum permissions that these entities can get, perform the following actions:

Note: A permissions boundary limits the maximum permissions, but does not grant access on its own. Permissions policies alone provide permission and can be limited by the permissions boundaries. The AWS IAM identities presented as examples in this conformity rule have attached permissions policies that require limitations (i.e. permissions boundary).

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, choose Users or Roles, depending on the IAM identity type that you want to check. The permission boundary feature cannot be used with IAM groups, only with IAM users and roles.

04 Click on the name (link) of the IAM user/role that you want to reconfigure.

05 Select Permissions tab from the dashboard bottom panel and click Permissions boundary to expand the section with the feature configuration.

06 Click Set boundary button to start the set up process for the feature.

accessible in the Actions column.

07 On Set the permissions boundary on <user/role_name> page, select a managed policy (customer managed or AWS managed) to set as the permissions boundary for the selected IAM user/role, then click Set boundary button to apply the chosen permissions. Once the permissions boundary policy has been successfully attached, the following confirmation message should be returned: Permissions boundary <managed_policy_name> has been set for <user/role_name>.

08 Repeat steps no. 3 – 7 to set up permissions boundaries for other AWS IAM users/roles that require permissions limitations.

Using AWS CLI

01 Based on AWS IAM identity type that you want to reconfigure, perform one of the following commands:

  1. For AWS IAM users:
    • To set permissions boundaries for a specific IAM user, run put-user-permissions-boundary command (OSX/Linux/UNIX) using the name of the user that you want to configure as identifier and the Amazon Resource Name (ARN) of the managed policy that you want to set as the IAM user's permissions boundary as parameter (the command request does not produce an output):
      aws iam put-user-permissions-boundary
      	--user-name cc-project5-developer
      	--permissions-boundary arn:aws:iam::123456789012:policy/iam-boundary-policy
      
  2. For AWS IAM roles:
    • To set permissions boundaries for an explicit IAM user, run put-role-permissions-boundary command (OSX/Linux/UNIX) using the name of the role that you want to reconfigure as identifier and the ARN of the managed policy that you want to set as the role's permissions boundary as value for the --permissions-boundary parameter (the command request does not return an output):
      aws iam put-role-permissions-boundary
      	--role-name cc-ec2-developer-role
      	--permissions-boundary arn:aws:iam::123456789012:policy/iam-boundary-policy
      

References

Publication date Jul 26, 2018