AWS IAM Permission Boundaries Has A Caveat That May Surprise You

AWS IAM Permission Boundaries Has A Caveat That May Surprise You

Note: this article was originally published on September 1, 2021. It erroneously stated that the resource policy could reference the role, rather than the assumed role session. I removed it pending an update. The confusion, complexity, and poor documentation led me to publish I Trust AWS IAM to Secure My Applications. I Don’t Trust the IAM Docs to Tell Me How. The updated version was published on September 29.

Resource policies can short-circuit the evaluation before the permissions boundary is evaluated
Resource policies can short-circuit the evaluation before the permissions boundary is evaluated
{
"Version": "2012-10-17",
"Statement": [
{
"Principal": "arn:aws:sts::123456789012:assumed-role/MyRole/SessionName",
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket/*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Principal": "*",
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket/*",
"Condition": {
"StringEquals": {
"aws:PrincipalArn": "arn:aws:iam::123456789012:role/MyRole"
}
}
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"NotAction": "s3:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "*:*",
"Resource": "*"
}
]
}

Cloud Robotics Research Scientist at @iRobot