CMS Essentials Permissions Boundary

As part of CMS Essentials onboarding, SoftwareOne applies a Permissions Boundary to all IAM principals in the AWS Master Payer account. This permissions boundary is designed to restrict access to the AWS Cost Explorer, protect SoftwareOne (SWO) resources, and conditionally lock access to the support console for Partner Led Support (PLS) customers. By applying this boundary, SoftwareOne ensures compliance with the AWS Solution Provider Program (SPP) by safeguarding partner discounts, preventing confusion over pricing discrepancies, and maintaining adherence to PLS program requirements, thereby avoiding potential penalties or customer removal from the program.

It is important to note that a Permissions Boundary does not independently grant permissions; it acts as a filter that constrains the permissions defined in IAM policies.

This Permissions Boundary automatically applies to all IAM principals in the management (payer) AWS account.

The following table outlines all the rules applied by this policy.

Sid	Effect	Action	Resource	Condition	Explanation
AllowAdminAccess	Allow	All actions (`*`)	All resources (`*`)	None	Grants all actions across AWS resources unless explicitly restricted by specific deny rules. It is important to note that a permissions boundary does not independently grant permissions; rather, it acts as a filter that constrains the permissions defined in IAM policies.
ProtectSWOCostAndUsageReports	Deny	`cur:*ReportDefinition`	CUR reports starting with "SWO" or "swo"	Deny unless the requester’s ARN is in specified administrative roles.	Protects cost and usage reports from unauthorised modifications, ensuring only trusted roles can make changes.
DenyAlterationOfPB	Deny	IAM policy modifications (`iam:Policy`)	`SWOMasterPermissionsBoundary` policy	Deny unless the requester is in an administrative role.	Protects the permissions boundary policy itself from being altered by unauthorised users.
DenyRemovalOfPB	Deny	`iam:DeleteUserPermissionsBoundary`, `iam:DeleteRolePermissionsBoundary`	All users and roles	Deny if `SWOMasterPermissionsBoundary` is the boundary and the requester is not in an administrative role.	Ensures that the permissions boundary remains applied, enforcing security.
DenyAccessIfPBIsNotApplied	Deny	`iam:PutUserPermissionsBoundary`, `iam:PutRolePermissionsBoundary`	All users and roles	Deny if the boundary being applied is not `SWOMasterPermissionsBoundary`.	Ensures only the intended permissions boundary is used, maintaining the security structure.
DenyModificationOfSWORolesAndPolicies	Deny	IAM roles and policies modifications (`iam:Policy`, `iam:Role`)	Roles and policies starting with "SWO" or "swo"	Deny unless the requester is in an administrative role.	Protects key Swo IAM roles and policies from unauthorised changes.
DenyModificationOfSWOStacks	Deny	CloudFormation stack modifications (`cloudformation:*Stack`, `cloudformation:UpdateTerminationProtection`)	Stacks starting with "SWO" or "swo"	Deny unless the requester is in an administrative role.	Prevents unauthorised changes to critical Swo CloudFormation stacks.
DenyModificationOfSWOLambdas	Deny	Lambda function modifications (`lambda:Function`, `lambda:AddPermission`, `lambda:RemovePermission`)	Functions starting with "SWO" or "swo"	Deny unless the requester is in an administrative role.	Protects key Swo Lambda functions from unauthorised changes.
DenyModificationOfSWOSNSTopics	Deny	SNS topic modifications (`sns:DeleteTopic`, `sns:SetTopicAttributes`, `sns:AddPermission`, `sns:RemovePermission`)	Topics starting with "SWO" or "swo"	Deny unless the requester is in an administrative role.	Ensures that critical SNS topics are not altered without proper authorisation.
DenyModificationOfOrgSCP	Deny	Organizational SCP modifications (`organizations:RemoveAccountFromOrganization`, `organizations:UpdateOrganizationalUnit`, `organizations:UpdatePolicy`, etc.)	SCPs, accounts, roots, and OUs in the organization	Deny unless the requester is in an expanded list of administrative roles, including Control Tower and related roles.	Protects the organizational structure and SCPs from unauthorised changes.
ProtectSWOCloudTrail	Deny	CloudTrail modifications (`cloudtrail:StopLogging`, `cloudtrail:DeleteTrail`)	Trails starting with "SWO" or "swo"	Deny unless the requester is in an administrative role.	Ensures logging remains active, crucial for auditing and security compliance. Applies to Swo trail.
ProtectSWOEventBridgeRules	Deny	EventBridge rule modifications (`events:*Rule`)	Rules starting with "SWO" or "swo"	Deny unless the requester is in a Swo administrative role.	Protects critical event-driven Swo architecture components from unauthorised modifications.
DenyAccessToBillingPortal	Deny	Billing-related actions (`budgets:Budget`, `ce:UpdatePreferences`, `ce:Report`, `cur:`, `billing:`, etc.)	All billing related resources - Budgets, Cost Explorer, Cost and Usage Reports, Tax Settings and Services, Billing Services, Invoicing Services, Payments, Account Management		Restricts access to sensitive billing data and actions to prevent unauthorized financial activities. When using an AWS partner, Cost Explorer data include Partner discounts, leading to discrepancies when comparing with invoices. For accurate cost tracking, SoftwareOne recommends using AWS Billing Conductor or a third-party Cloud Spend Management tool to reflect correct data.
DenySupportConsole (Conditional)	Deny	Support console access (`support:*`)	All resources	This applies if Partner Led Support (PLS)guardrails are enabled and the requester is not in a specified support role.	Ensures only authorized personnel can access the support console, preventing unauthorized changes to critical settings. For PLS customers: All tickets must be submitted through SoftwareOne, and restricting console access is a mandatory requirement of the PLS program.