An IAM role with createPolicy permission to create policies in UAT but should not be allowed to create any policy for the services like Secrets Manager, KMS, lambda
ayush-iam.json :
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:CreatePolicy",
"Resource": "*"
},
{
"Effect": "Deny",
"Action": "iam:CreatePolicy",
"Resource": "*",
"Condition": {
"StringEqualsIfExists": {
"aws:RequestTag/Service": [
"SecretsManager",
"KMS",
"Lambda"
]
}
}
}
]
}
```
## In this policy:
- The first statement allows the createPolicy action for all resources.
- The second statement denies the createPolicy action for resources if a specific tag condition (Service) is met. This condition restricts the creation of policies for services such as Secrets Manager, KMS, and Lambda.
## Create an IAM Role:
Next, you'll need to create an IAM role that your users can assume when working in the UAT environment. Attach the custom policy you created earlier to this role.
## Assign the IAM Role to Users:
Finally, you can assign the IAM role to the users who need to perform the createPolicy action in the UAT environment. They can assume the role temporarily using the AWS Management Console, AWS CLI, SDKs, or any other method you prefer.
Remember to test this setup thoroughly to ensure that the permissions and restrictions work as expected before deploying it in a production environment. Also, periodically review and update your IAM policies as needed to maintain a secure and efficient access control strategy.
# Let's automate this whole process using Python 🐍 (boto3)
```python
import boto3
import json
# AWS credentials setup
aws_access_key_id = 'YOUR_ACCESS_KEY'
aws_secret_access_key = 'YOUR_SECRET_KEY'
aws_region = 'us-west-2' # Change to your desired region
# Create a Boto3 IAM client
iam_client = boto3.client('iam', region_name=aws_region, aws_access_key_id=aws_access_key_id, aws_secret_access_key=aws_secret_access_key)
# Define the policy JSON
policy_document = {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:CreatePolicy",
"Resource": "*",
"Condition": {
"StringEqualsIfExists": {
"aws:RequestedRegion": aws_region
}
}
},
{
"Effect": "Deny",
"Action": "iam:CreatePolicy",
"Resource": "*",
"Condition": {
"ArnLike": {
"aws:PrincipalArn": "arn:aws:iam::*:user/RestrictedUser" # Replace with the user/role you want to restrict
},
"StringEqualsIfExists": {
"aws:RequestedService": [
"secretsmanager",
"kms",
"lambda"
]
}
}
}
]
}
# Create the policy
response = iam_client.create_policy(
PolicyName='LimitedPolicyForUAT',
PolicyDocument=json.dumps(policy_document),
Description='Policy to allow creating policies in UAT with restrictions'
)
# Get the ARN of the created policy
policy_arn = response['Policy']['Arn']
# Define the IAM role name
role_name = 'LimitedRoleForUAT'
# Create the role
role_response = iam_client.create_role(
RoleName=role_name,
AssumeRolePolicyDocument=json.dumps({
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com" # Modify this if the role will be assumed by a different AWS service
},
"Action": "sts:AssumeRole"
}
]
})
)
# Attach the policy to the role
iam_client.attach_role_policy(
RoleName=role_name,
PolicyArn=policy_arn
)
print(f"Policy and role created and attached successfully.")
```
## Enjoy 😉
Sign in with Wallet
Connect another wallet