If I make a lambda job to de-escalate my boss's IAM privileges on Friday afternoons and trigger that via a cloudwatch cron event, they will be able to see that and disable it (unless it is currently Friday afternoon.)
What approach can I take to fully rescind my boss's AWS access on Friday afternoons?
Thanks, -neil
Assuming that your boss is an admin or near-admin except on Fridays, this will be difficult or impossible to achieve without placing additional restrictions on your boss.
As a starting point, to give your boss different permissions on Friday afternoons than the rest of the week, you could make your boss's permissions dependent on the current time using the condition keys "aws:DateGreaterThan" and "aws:DateLessThan". For instance, the following permission policy will make a principal admin at any time before or after this Friday:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*",
"Condition": {
"DateLessThan": {"aws:CurrentTime": "2023-06-09T00:00:00Z"}
}
},
{
"Effect": "Allow",
"Action": "*",
"Resource": "*",
"Condition": {
"DateGreaterThan": {"aws:CurrentTime": "2023-06-09T23:59:59Z"},
}
}
]
}
I am not aware of any way to make a policy like that that applies to all Fridays. One strategy is to use some periodic task to revise that permission policy every week. Another is to forgo issuing permanent credentials and instead use some other application to vend temporary credentials, which refuses to issue any credentials that are valid on Fridays.
However, if the person holding these permissions is an admin except on Fridays, that person can always modify anything in the account (except on Fridays). So you need one of two things:
aws:PrincipalArn
condition key in an SCP so I'm not certain that it will work, but it's worth a try. If you take this approach, you will still need to update the time constraints in the SCP periodically, and you need to ensure that your boss does not have admin access to the Organization management account at any time. CloudTrail will probably reveal that permissions on Fridays were refused by an SCP.In order to make either of these approaches work, your boss also needs to be prohibited from creating new AWS principals with admin (or near-admin) permissions at any time. Otherwise, your boss could simply (on a Monday) create a new admin principal then use those creds on Fridays to bypass your restrictions.