AWS IAM Permission Limits vs. Service Control Policies | by Teri Radichel | Cloud Security | November 2023


ACM.373 Designing the Use of Authorization Boundaries and Service Control Policies for Managing Credentials Within the Organization

Part of my series on Automation of cybersecurity measures. AWS Organizations. I AM. Deploy a static website. THE Coded.

Free content on Cybersecurity Jobs | Register at Broadcast list

In the last post I revisited AWS IAM permission limits and how they can help you prevent privilege escalation. I demonstrated what they can and cannot do, to a certain extent.

In this article, I will consider using an authorization limit versus a service control policy (SCP) to solve a particular problem.

The problem I would like to solve is:

I want to make sure that users are only allowed to change their own passwords, change their own MFA, and manage their own developer credentials.

Denying the IAM user the ability to modify their own policies is quite simple when you create a user policy, as demonstrated in previous articles.

The problem is that the IAM admin can create a new user, get the password, create a policy to change any password, assign the overly permissive policy to the new user, then log in as the new user.

I’ve written about this and other forms of privilege escalation here:

How can we prevent this? One solution was to use an authorization limit. We could also try to leverage an AWS IAM service control policy.

Leave a comment