Prevent Critical IAM Role Modification
Overview
This AWS Service Control Policy (SCP) is designed to prevent modifications to specific IAM roles within your organization. It enforces restrictions on critical roles that should remain unchanged to ensure security and compliance.
JSON Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PreventRoleModification",
"Effect": "Deny",
"Action": [
"iam:AttachRolePolicy",
"iam:DeleteRole",
"iam:DeleteRolePermissionsBoundary",
"iam:DeleteRolePolicy",
"iam:DetachRolePolicy",
"iam:PutRolePermissionsBoundary",
"iam:PutRolePolicy",
"iam:UpdateRole",
"iam:UpdateRoleDescription",
"iam:UpdateAssumeRolePolicy"
],
"Resource": [
"arn:*:iam::*:role/security-audit",
"arn:*:iam::*:role/OrganizationAccountAccessRole",
"arn:*:iam::*:role/stacksets-exec-*",
"arn:*:iam::*:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO*"
],
"Condition": {
"StringNotLike": {
"aws:PrincipalArn": [
"arn:*:iam::*:role/stacksets-exec-*",
"arn:*:iam::*:role/OrganizationAccountAccessRole"
]
}
}
}
]
}
Explanation
Statements
- Sid: "PreventRoleModification" - A unique identifier for this specific statement within the policy.
- Effect: "Deny" - This policy denies the specified actions.
- Action: A list of IAM actions that are denied. These actions include attaching, detaching, updating, and deleting policies or roles, specifically:
iam:AttachRolePolicyiam:DeleteRoleiam:DeleteRolePermissionsBoundaryiam:DeleteRolePolicyiam:DetachRolePolicyiam:PutRolePermissionsBoundaryiam:PutRolePolicyiam:UpdateRoleiam:UpdateRoleDescriptioniam:UpdateAssumeRolePolicy
- Resource: The specific IAM roles that are protected by this policy. These roles are:
arn:*:iam::*:role/security-auditarn:*:iam::*:role/OrganizationAccountAccessRolearn:*:iam::*:role/stacksets-exec-*arn:*:iam::*:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO*
- Condition: Additional conditions that refine the policy:
StringNotLike: Ensures the policy applies unless theaws:PrincipalArnmatches the specified patterns, which are:arn:*:iam::*:role/stacksets-exec-*arn:*:iam::*:role/OrganizationAccountAccessRole
When to Use This Policy
- Protecting Critical Roles: Use this policy to prevent unauthorized or accidental changes to critical IAM roles that are essential for security and organization management.
- Compliance and Security: Ensures that key roles related to security audits, organizational access, and stack sets execution are not tampered with.
Benefits
- Enhanced Security: By preventing modifications to critical roles, you reduce the risk of security breaches.
- Compliance Assurance: Helps maintain compliance by ensuring that critical roles remain unchanged.
- Controlled Access: Restricts actions that can potentially alter the security posture of your AWS environment.
Potential Drawbacks
- Restricted Flexibility: Legitimate administrative changes to the protected roles require careful planning and may necessitate temporarily lifting the policy.
- Management Overhead: Requires oversight to ensure that the conditions and exceptions are correctly managed and updated as necessary.
Summary
This SCP is a robust mechanism to safeguard crucial IAM roles within your AWS organization. By enforcing stringent restrictions on role modifications, it helps maintain a secure and compliant cloud environment. Ensure to review and update the policy conditions periodically to accommodate any changes in your organizational structure or security requirements.
Sources
- PrimeHarbor primeharbor