What is the best approach to revoking/rescinding your boss's AWS credentials for only Friday afternoons?

If I make a lambda job to de-escalate my boss's IAM privileges on Friday afternoons and trigger that via a cloudwatch cron event, they will be able to see that and disable it (unless it is currently Friday afternoon.)

What approach can I take to fully rescind my boss's AWS access on Friday afternoons?

Thanks, -neil

Solution

Assuming that your boss is an admin or near-admin except on Fridays, this will be difficult or impossible to achieve without placing additional restrictions on your boss.

As a starting point, to give your boss different permissions on Friday afternoons than the rest of the week, you could make your boss's permissions dependent on the current time using the condition keys "aws:DateGreaterThan" and "aws:DateLessThan". For instance, the following permission policy will make a principal admin at any time before or after this Friday:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*",
            "Condition": {
                "DateLessThan": {"aws:CurrentTime": "2023-06-09T00:00:00Z"}
            }
        },
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*",
            "Condition": {
                "DateGreaterThan": {"aws:CurrentTime": "2023-06-09T23:59:59Z"},
            }
        }
    ]
}

I am not aware of any way to make a policy like that that applies to all Fridays. One strategy is to use some periodic task to revise that permission policy every week. Another is to forgo issuing permanent credentials and instead use some other application to vend temporary credentials, which refuses to issue any credentials that are valid on Fridays.

However, if the person holding these permissions is an admin except on Fridays, that person can always modify anything in the account (except on Fridays). So you need one of two things:

Your boss always lacks permissions to modify whatever restricts its Friday permissions. You could make it an admin but add Deny rules that prohibit it from editing its permission policies or from tampering with the Lambda that updates the permission policies (or anything else that it depends on). If your boss needs to be able to access CloudTrail, then you will not be able to prevent your boss from learning of your mechanism, only of preventing your boss from tampering with it.
Use some mechanism outside of the account to limit your boss' access. If you put your account in an Organization, you might be able to use an SCP to deny one specific principal from accessing things on Fridays. I've never tried using the aws:PrincipalArn condition key in an SCP so I'm not certain that it will work, but it's worth a try. If you take this approach, you will still need to update the time constraints in the SCP periodically, and you need to ensure that your boss does not have admin access to the Organization management account at any time. CloudTrail will probably reveal that permissions on Fridays were refused by an SCP.

In order to make either of these approaches work, your boss also needs to be prohibited from creating new AWS principals with admin (or near-admin) permissions at any time. Otherwise, your boss could simply (on a Monday) create a new admin principal then use those creds on Fridays to bypass your restrictions.