Does this role have S3 Create Bucket permissions?
A decision was made to remove S3 create bucket permissions from roles to enforce standard S3 bucket configurations via a CloudFormation template created by a pipeline. Using the IAM Policy Simulator determine if the AWSLandingZoneNetworkOpsRole has the ability to create buckets.
How do I use the IAM policy simulator?
- Navigate to IAM within the Development Account
- Select Policy Simulator from the links on the right side of the screen
- Select Roles from the drop down menu
- Select the AWSLandingZoneNetworkOpsRole from the list
- Select S3 from the Service List
- Click the Select All button
- Click the Run Simulation button
- Review the results to see if CreateBucket is allowed
- How would you identify roles, policies, and users with restricted actions across all accounts in your organization?
- What process or solution would you put in place to help ensure restricted actions aren’t granted within your accounts?