Restrict AWS Developer Power User access by specifying date condition (DateGreaterThan, DateLessThan)

605 views Asked by At

I have this managed policy for AWS Developer Power User, which gives the user access to all AWS resources and actions except IAM and Organization (Just one level below Admin role).

AssumeRolePolicyDocument:
    Version: 2012-10-17
    Statement:
      - Effect: Allow
        Principal:
          Federated:
            - !Sub "arn:aws:iam::${AWS::AccountId}:saml-provider/ABC"
        Action: 'sts:AssumeRoleWithSAML'
        Condition:
          StringEquals:
            SAML:aud: "https://signin.aws.amazon.com/saml"
  Path: /
  Policies:
    - PolicyName: ABC
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            NotAction:
              - iam:*
              - organizations:*
              - account:*
            Resource: '*'  
          - Effect: Allow
            Action:
              - iam:CreateServiceLinkedRole
              - iam:DeleteServiceLinkedRole
              - iam:ListRoles
              - organizations:DescribeOrganization  
              - account:ListRegions
            Resource: '*'

I want to restrict the access to the user between particular dates (For ex during deployment schedule) and added below code for Date operator.

Condition:
DateGreaterThan:
  aws:CurrentTime: '2020-04-01T00:00:00Z'
DateLessThan:
  aws:CurrentTime: '2020-06-30T23:59:59Z'

However adding the above condition clause to the PowerUserManaged policy throws error 400 Malformed during deployment of the policy in AWS Console.

Is it possible to add the date condition clause to PowerUserAccess managed policy ? https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_developer-power-user

1

There are 1 answers

2
Chris Williams On

If you want to use the IAM managed policy you can just add another policy to the user to deny to the user if they're outside the date range.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": "*",
            "Resource": "*",
            "Condition": {
                "DateGreaterThan": {"aws:CurrentTime": "2020-04-01T00:00:00Z"},
                "DateLessThan": {"aws:CurrentTime": "2020-04-01T00:00:00Z"}
            }
        }
    ]
}

An explicit deny will always override any allow statement, for more information over policy evaluation check out the Policy Evaluation page on AWS.