AWS::IAM::Role - Tags should be created via tag-on-create #328
Labels
enhancement
New feature or request
security identity compliance
IAM, Cognito, Secrets Manager, GuardDuty, etc.
Scope of request -> Creation of AWS::IAM::Role tags do not support tag-on-create; tags instead are created after IAM::Role creation.
Expected behavior -> When creating IAM::Role tags, the process of assigning tags to the role AND the role creation itself should together be an atomic operation. In the AWS Console and CLI this is atomic, see chart I created while testing this:
Impact if not addressed -> If the principal creating the stack is subject to a policy that forbids IAM resources such as IAM roles from being created without a tag, then the resources will fail to be created. The workaround is to allow resources to not be created with required tags, however from a security perspective this is not ideal.
Test case recommendation:
Tester needs to create his CFN stack (and role) via an IAM user with a limited and specific set of permissions and not via an admin user:
Category tag -> Security
Any additional context:
The policy-assigned-to-user-creating-iam-users-and-roles.yml stack enforces tag-on-create for the iam:CreateUser and iam:CreateRole actions. The tag “createUserTag”, “createRoleTag” and the user/role both are required to be created atomically (tag-on-create). And it will fail for role creation but not user creation. For steps 5 - 6, creating roles will all of a sudden work, because StringLikeIfExists does not require that the the “createRoleTag” be present when requesting the iam role “lciamrole” to be created.
policy-assigned-to-user-creating-iam-users-and-roles.yml.zip
The text was updated successfully, but these errors were encountered: