Limited IAM Admin in AWS

anuj varma — Sun, 25 Sep 2022 06:25:51 +0000

Often, we need to pare down the credentials of an IAM admin. This can be accomplished by creating a custom IAM policy for the restricted admin.

What about a limited IAM Admin?

A full IAM Admin can create and manage other IAM Admins. To restrict this, create a custom policy that only allows the attached user to manage their own user ARN

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ManageUsersPermissions",
      "Effect": "Allow",
      "Action": [
        "iam:ChangePasword",
        "iam:CreateAccessKey",
        "iam:CreateLoginProfile",
        "iam:CreateUser",
        "iam:DeleteAccessKey",
        "iam:DeleteLoginProfile",
        "iam:DeleteUser",
        "iam:UpdateAccessKey",
        "iam:ListAttachedUserPolicies",
        "iam:ListPolicies",
        "iam:ListUserPolicies",
        "iam:ListGroups",
        "iam:ListGroupsForUser",
        "iam:GetPolicy",
        "iam:GetAccountSummary"
      ],
      "Resource": "*"
    },
    {
      "Sid": "LimitedAttachmentPermissions",
      "Effect": "Allow",
      "Action": [
        "iam:AttachUserPolicy",
        "iam:DetachUserPolicy"
      ],
      "Resource": "*",
      "Condition": {
        "ArnEquals": {
          "iam:PolicyArn": [
            "arn:aws:iam::AWS-ACCOUNT-ID:policy/MyProjectS3Access",
            "arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess"
          ]
        }
      }
    }
  ]
}

Summary

Summary

A limited IAM Admin policy is useful in many situations. This post describes one such limited policy. For an advanced AWS IAM or overall security consultation, please Contact AWS Security Architect

The post Limited IAM Admin in AWS appeared first on AWS Security Architect.

Limited IAM Admin Archives - AWS Security Architect

Limited IAM Admin in AWS