Limited IAM Admin in AWS

Often, we need to pare down the credentials of an IAM admin. This can be accomplished by creating a custom IAM policy for the restricted admin.

What about a limited IAM Admin?

A full IAM Admin can create and manage other IAM Admins. To restrict this, create a custom policy that only allows the attached user to manage their own user ARN

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ManageUsersPermissions",
      "Effect": "Allow",
      "Action": [
        "iam:ChangePasword",
        "iam:CreateAccessKey",
        "iam:CreateLoginProfile",
        "iam:CreateUser",
        "iam:DeleteAccessKey",
        "iam:DeleteLoginProfile",
        "iam:DeleteUser",
        "iam:UpdateAccessKey",
        "iam:ListAttachedUserPolicies",
        "iam:ListPolicies",
        "iam:ListUserPolicies",
        "iam:ListGroups",
        "iam:ListGroupsForUser",
        "iam:GetPolicy",
        "iam:GetAccountSummary"
      ],
      "Resource": "*"
    },
    {
      "Sid": "LimitedAttachmentPermissions",
      "Effect": "Allow",
      "Action": [
        "iam:AttachUserPolicy",
        "iam:DetachUserPolicy"
      ],
      "Resource": "*",
      "Condition": {
        "ArnEquals": {
          "iam:PolicyArn": [
            "arn:aws:iam::AWS-ACCOUNT-ID:policy/MyProjectS3Access",
            "arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess"
          ]
        }
      }
    }
  ]
}

Summary

Summary

A limited IAM Admin policy is useful in many situations. This post describes one such limited policy. For an advanced AWS IAM or overall security consultation, please Contact AWS Security Architect

2 Comments Already

Leave a Reply Cancel reply