I need to make an administrator role where only access to a few resources is blocked. This seems straightforward. I can create a role with 2 policies, one AWS managed AdministratorAccess and a deny policy for the relevant resources.
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AdministratorAccess
Policies:
- PolicyName: DenyAccess
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Deny
Action:
- '*'
Resource:
- arn:aws:s3:::example-bucket
- ...
However, because the role now has full IAM access, it seems it can easily by-pass the deny policy. To do this it can create a new policy with full access and assign this policy to a lambda. This lambda then has full access to the resources which are denied to the original role.
Is there a way to control which resources/actions a role can define in a new policy?
I have tried using permission boundaries, as suggested in this so question, but it didn't work.
- PolicyName: BoundaryPolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action: 'iam:*'
Resource: !Sub arn:aws:iam::${AWS::AcountId}:role/*
Condition:
StringEquals:
iam:PermissionsBoundary: !Sub arn:aws:iam::${AWS::AcountId}:policy/DenyPolicy