AWS::IAM::Role - Tags should be created via tag-on-create

[aws-wwps-ps-mmch]

Scope of request -> Creation of AWS::IAM::Role tags do not support tag-on-create; tags instead are created after IAM::Role creation.

Expected behavior -> When creating IAM::Role tags, the process of assigning tags to the role AND the role creation itself should together be an atomic operation. In the AWS Console and CLI this is atomic, see chart I created while testing this:

Impact if not addressed -> If the principal creating the stack is subject to a policy that forbids IAM resources such as IAM roles from being created without a tag, then the resources will fail to be created. The workaround is to allow resources to not be created with required tags, however from a security perspective this is not ideal.

         IAM Users,      IAM Roles,      IAM Users,        IAM Roles,
         tag-on-create   tag-on-create   tag-after-create  tag-after-create
Console    Yes             Yes             Yes (obviously)   Yes (obviously)
CFN        Yes             No              Yes               Yes
CLI        Yes             Yes             Yes               Yes
API        ???

Test case recommendation:

Tester needs to create his CFN stack (and role) via an IAM user with a limited and specific set of permissions and not via an admin user:

1. See attached “policy-assigned-to-user-creating-iam-users-and-roles.yml” file. Please create this stack first.
2. Once the stack is created, take a test IAM user, remove all policies and groups, and assign him to the “test-iam-group”.
3. With the test IAM user, launch your “lccustomeriamandrole1.yaml” stack. It will fail with "CREATE_FAILED - API: iam:CreateRole User: arn:aws:iam::123456789012:user/mchantest1 is not authorized to perform: iam:CreateRole on resource: arn:aws:iam::123456789012role/test-lciamrole-1N4936EXCU8KQ"
4. Delete your “lccustomeriamandrole1.yaml” stack
5. Try again - edit “policy-assigned-to-user-creating-iam-users-and-roles.yml”, jump to line 135, uncomment “StringLikeIfExists”, and comment out “StringLike”
6. Relaunch the “lccustomeriamandrole1.yaml” stack, now it will work; you will find “lciamrole” successfully created. This shows that CFN can create the tag, albeit AFTER IAM role creeation, which is not ideal.

Category tag -> Security

Any additional context:

The policy-assigned-to-user-creating-iam-users-and-roles.yml stack enforces tag-on-create for the iam:CreateUser and iam:CreateRole actions. The tag “createUserTag”, “createRoleTag” and the user/role both are required to be created atomically (tag-on-create). And it will fail for role creation but not user creation. For steps 5 - 6, creating roles will all of a sudden work, because StringLikeIfExists does not require that the the “createRoleTag” be present when requesting the iam role “lciamrole” to be created.

policy-assigned-to-user-creating-iam-users-and-roles.yml.zip