Managing IAM Permission sets - Boundaries - Session policies

Mohamed El ErakiMohamed El Eraki
4 min read

Table of contents

Inception

Hello everyone, This article is part of The Terraform + AWS series, And it does not depend on any other article, I use this series to publish-out AWS + Terraform Projects & Knowledge.

Overview

AWS Provides multiple types of IAM policies each one serving a specific aspect.

Today’s Article will Discover the differences between each other and how to use it.

Permission set

An AWS Permission set is a collection of policies that define the permission granted to a user or group of users, These permission sets are primarily used to grant access to specific AWS accounts while using the AWS Organization / Landing zone environment.

How to setup Permission set

  • Open-up IAM identity Center.

  • Under Multi-account permission, Open permission sets.

  • Create Permission set.

  • For Permission set type, Specify Custom.

  • Here we have multiple options. However, we gonna use the inline policy, Past the below content, Then Next.

  •   {
      "Version": "2012-10-17",
      "Statement": [
          {
              "Sid": "AllowStatement",
              "Effect": "Allow",
              "Action": "iam:*",
              "Resource": "*"
          },
          {
              "Sid": "DenyStatement",
              "Effect": "Deny",
              "Action": "*",
              "Resource": "*"
          }
      ]
  }

  • For Permission set name type “eraki_us1_Iam_restrections“ Then Next and Create.

Now, Let’s set it up to a specific account.

  • Revert back to Multi-account permission, Open AWS Accounts.

  • Specify an account.

  • Under Assigned users and groups, Hit Assign user or group.

  • Specify the user | Group will access this account, Next.

  • Specify the Permission set created, Next, then submit.

IAM Boundaries

IAM boundary is a feature of Identity access, which defines the maximum permission that an IAM user can grant, it’s setting boundary/limits for the IAM policy applied.

For example, If you attached an AministratorAccess to a user and define an IAM boundary with iam:* only, this user will have access to iam:* only.

Setting up a permission boundary

We already have a user have AdministraorAccess policy attached, and let’s assume that we need to restrict this user privilege to be on IAM service only.

  • Open-up IAM service console, Specify your Policies, Then Create Policy.

  • Specify JSON format and past the below

      {
      "Version": "2012-10-17",
      "Statement": [
          {
              "Sid": "AllowStatement",
              "Effect": "Allow",
              "Action": "iam:*",
              "Resource": "*"
          },
          {
              "Sid": "DenyStatement",
              "Effect": "Deny",
              "Action": "*",
              "Resource": "*"
          }
      ]
  }

  • For the policy name type “eraki_perBoun_iam“ and Create Policy.

  • Open-up your user.

  • scroll-down, Open-up Permission boundary, Then set permission boundary.

  • Search for the created policy, Then attach it.

Session policy

Pass advanced session policies when you use the AWS CLI or AWS API to assume a role or a federated user. Session policies limit the permissions that the role or user's identity-based policies grant to the session. Session policies limit permissions for a created session, but do not grant permissions.

The AWS Session policy is very similar to permission boundary. However on IAM roles.
The Session policy is a kind of limit user assumed role access while using CLI Or API, ensuring this session will have less privileage, this is a good approach for automated tasks.

aws sts assume-role \
  --role-arn arn:aws:iam::123456789012:role/YourRoleName \
  --role-session-name YourSessionName \
  --policy file://path-to-session-policy.json

While the --policy file includes a more restricted policy that the role includes, This is a good approach in automated tasks.

If you want to enforce some restrictions on a user while assuming the policy you should use the Permission boundary to restrict the role privilege.

Then, even if that user assumes a role with full access to S3 (like s3:*), their effective permissions are still restricted to only read permissions on the bucket as defined in the permission boundary.

By default, when assuming an IAM role using AWS CLI or the AWS Console, the session duration is one hour (60 minutes).

  • In the AWS Console: When you assume a role via the AWS Management Console (for example, switching roles or logging in as a different role), the session typically defaults to 1 hour.

  • In the AWS CLI: You can specify the session duration using the --duration-seconds parameter when calling aws sts assume-role. This allows you to define a session length ranging from 15 minutes to a maximum of 12 hours.

aws sts assume-role \
  --role-arn arn:aws:iam::123456789012:role/YourRoleName \
  --role-session-name YourSessionName \
  --duration-seconds 3600

aws iam create-role \
  --role-name YourRoleName \
  --assume-role-policy-document file://assume-role-policy.json \
  --max-session-duration 43200  # 12 hours in seconds

Resources

That's it, Very straightforward, very fast🚀. Hope this article inspired you and will appreciate your feedback. Thank you

0
Subscribe to my newsletter

Read articles from Mohamed El Eraki directly inside your inbox. Subscribe to the newsletter, and don't miss out.

IAMpermission boundariesAWS

Written by

Mohamed El Eraki
Mohamed El Eraki

Cloud & DevOps Engineer, Linux & Windows SysAdmin, PowerShell, Bash, Python Scriptwriter, Passionate about DevOps, Autonomous, and Self-Improvement, being DevOps Expert is my Aim.