In AWS Organizations, the "management account" is a special account.
It owns all organizational settings and has powerful permissions.
By default, it can register and remove accounts from the organization, handle billing, and manage organization-wide settings.
Reference: AWS Organizations Management Account
Therefore, it is a best practice to limit management account access to a small number of people and delegate functions and operations whenever possible.
The functions that can be delegated are listed in the AWS Services integrated with Organizations documentation.
Functions with "Supports delegated administrator" set to "Yes" can be delegated to specified member accounts.
Reference: AWS Services Integrated with Organizations
Additionally, the management account is not subject to control policies such as SCPs, making it difficult to restrict.
Reference: Service Control Policies (SCP)
For cases where you cannot delegate everything and need to give access to the management account, you can use methods like assigning roles with limited permissions through IAM Identity Center.
Reference: AWS IAM Identity Center
The problem occurs when developers need to create IAM roles.
For example, they want to deploy a Lambda function or setup serverless infrastructure.
There are several ways to handle this. This article explains one approach: Permission Boundaries.
The Challenge: When Allowing iam:CreateRole
When you give someone iam:CreateRole
permission, it looks reasonable.
However, there is a problem: they can create roles with much more permissions than they have.
When these IAM roles are used, the intended permission control becomes ineffective.
Why Permission Boundary Matters in Management Account
Management account has a difficult situation. Developers need to create IAM roles for their applications, but SCPs cannot help - they don't work on management accounts.
Here is an example: a development team wants to deploy a Lambda that reads from S3. They request iam:CreateRole
permission.
The escalation pattern:
- Developer creates role with
s3:GetObject
(intended behavior) - Developer needs CloudWatch logs, adds
logs:CreateLogGroup
- Still getting errors, changes to
logs:*
- More problems occur, adds
*:*
temporarily - Six months later, that temporary role with full permissions is still in production
This escalation pattern happens frequently. Developers focus on making their application work rather than security boundaries.
Permission Boundary acts like a chain that restricts IAM entities. No matter what permissions you try to attach, you cannot break free from the boundary's constraints.
Important point: Setting the boundary is not enough. If users can remove it, the security is gone. You must block iam:DeleteRolePermissionsBoundary
and iam:PutRolePermissionsBoundary
actions.
Operational Reality: Developers initially resist the additional complexity. However, when they understand it enables self-service IAM role creation without security team approval, adoption improves. Self-service approach is more efficient than ticket-based processes.
Debugging Complexity: When permissions fail, troubleshooting becomes harder because you must check both identity-based policies AND Permission Boundaries. Invest in logging and documentation upfront.
Reference: IAM Permissions Boundaries
Implementing Permission Boundary Control
When you want to grant IAM role creation permissions but prevent users from creating roles with excessive permissions, you can use Permission Boundaries for control. By setting a policy that explicitly denies unwanted operations as a Permission Boundary and forcing the application of this Permission Boundary when creating IAM roles, you can control the upper limit of permissions.
Enforcing Permission Boundary Inheritance
A critical challenge emerges when roles create other roles: how do you ensure that "child" and "grandchild" roles maintain the same constraints? Permission Boundaries don't automatically inherit, but you can enforce inheritance through policy design.
The Solution: Self-Referencing Permission Boundary
The key insight is to make the Permission Boundary policy reference itself. Include this condition in your baseline_policy
Permission Boundary:
{
"Effect": "Deny",
"Action": [
"iam:CreateUser",
"iam:CreateRole"
],
"Resource": "*",
"Condition": {
"StringNotEquals": {
"iam:PermissionsBoundary": "arn:aws:iam::ACCOUNT-ID:policy/baseline_policy"
}
}
}
Why Self-Reference Works:
The baseline_policy
enforces that new roles must have the same Permission Boundary attached. This creates a chain where all created roles inherit the same constraints.
How Self-Reference Creates the Chain:
-
Parent Role has
baseline_policy
as its Permission Boundary - Parent Role attempts to create a new role
- The
baseline_policy
denies the creation unless the new role also getsbaseline_policy
as its Permission Boundary -
Child Role is created with the identical Permission Boundary (
baseline_policy
) - When Child Role creates another role, the same self-referencing constraint applies
-
Grandchild Role and all subsequent generations must also have
baseline_policy
as their Permission Boundary
Chain of Enforcement:
Parent Role (Boundary: baseline_policy)
↓ iam:CreateRole (must specify same boundary)
Child Role (Boundary: baseline_policy)
↓ iam:CreateRole (must specify same boundary)
Grandchild Role (Boundary: baseline_policy)
Additional Protection:
To prevent boundary removal, also deny these actions:
{
"Effect": "Deny",
"Action": [
"iam:DeleteRolePermissionsBoundary",
"iam:PutRolePermissionsBoundary"
],
"Resource": "*"
}
This approach ensures that regardless of how many generations of roles are created, they all maintain the same constraints. This prevents privilege escalation problems.
Alternative Approaches
For permission control in management account, there are other methods besides Permission Boundary:
- Data Migration: When data in the management account is needed, share or copy only the necessary parts of that data to member accounts and build solutions in the member accounts
- Work Separation: Have administrators or CI/CD pipelines handle IAM role creation and deployment work, and give general users only execution permissions
Considerations for Permission Boundary Usage
Permission Boundaries can be used not only in management account but also in member accounts. However, they add operational complexity. Before implementation, evaluate whether the security benefits justify the operational overhead:
- Operational Complexity: Permission Boundaries add an additional layer of policy evaluation, which can make troubleshooting permission issues more complex
- Development Velocity: Strict boundaries may slow down development workflows, especially in environments requiring frequent role modifications
- Maintenance Overhead: Permission Boundary policies need to be maintained and updated as business requirements evolve
- User Experience: Developers may encounter unexpected permission denials, requiring additional training and documentation
Before implementing Permission Boundaries, ensure your team can manage the additional complexity and that the security benefits are significant for your use case.
Reference Links
AWS Organizations and IAM Related
- AWS Organizations Best Practices
- IAM Permissions Boundaries
- AWS Services Integrated with Organizations
AWS Well-Architected Related
-
SEC03-BP02: Grant Least Privilege Access
- >For example, you can allow your workload teams to create their own IAM policies for systems they build, but only if they apply a Permission Boundary to limit the maximum permissions they can grant.
- SEC01-BP01: Separate Workloads Using Accounts
- Security Pillar - AWS Well-Architected Framework
Top comments (0)