Skip to content

Commit

Permalink
Update perm boundary to restrict removing/Updating perm boundary for …
Browse files Browse the repository at this point in the history 
…IAM users
  • Loading branch information
Prabhu Manchineella authored and Prabhu Manchineella committed Oct 25, 2023
1 parent 04ef86e commit 6ee8843
Showing 1 changed file with 6 additions and 3 deletions.
9 changes: 6 additions & 3 deletions modules/account-sso/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -71,16 +71,19 @@ resource "aws_iam_policy" "bcgov_perm_boundary" {
"iam:Update*",
"iam:Delete*",
"iam:DetachRolePolicy",
"iam:DeleteRolePolicy"
"iam:DeleteRolePolicy",
"iam:DeleteUserPermissionsBoundary",
"iam:PutUserPermissionsBoundary",
"iam:DeleteRolePermissionsBoundary"
]
Effect = "Deny"
Resource = [
"arn:aws:iam::*:policy/BCGOV*",
"arn:aws:iam::*:role/CloudCustodian",
"arn:aws:iam::*:role/AWSCloudFormationStackSetExecutionRole",
"arn:aws:iam::*:role/*BCGOV*",
"arn:aws:iam::*:instance-profile/EC2-Default-SSM-AD-Role-ip"

"arn:aws:iam::*:instance-profile/EC2-Default-SSM-AD-Role-ip",
"arn:aws:iam::*:user/*"
]
Sid = "DenyPermBoundaryBCGovAlteration"
},
Expand Down

0 comments on commit 6ee8843

Please sign in to comment.