Kranthi Kumar Basaraju
Reputation: 3
aws iam policy for denying users creating new roles only with my boundary policy
I want to create a policy where the user is restricted from creating a role without my permission boundary! i tried using iam:AttachRolePolicy and Iam:putRolePermissionBoundary but not working still!
Upvotes: 0
Views: 592
Answers (1)
Ian Jenkins
Reputation: 304
The config you are attempting would be accomplished if you granted the user the iam:CreateRole permission with a condition. For example if your permission boundary is a a policy called myPermissionBoundary then attaching the policy below would allow the user to create a role IFF the user also attached the permission boundary to that role.
{
"Sid": "CreateRoleIffPermInPlace",
"Effect": "Allow",
"Action": [
"iam:CreateRole"
],
"Resource": *,
"Condition": {
"StringLike": {
"iam:PermissionsBoundary": "arn:aws:iam::123456789012:policy/myPermissionBoundary"
}
}
}
Upvotes: 1
Related Questions
- AWS allow user to create policies that doesn't create other policies?
- AWS Deny Policy Role specific account
- AWS IAM Policy to allow user to create IAM Roles (from Management Console & AWS CLI)
- Trying to give IAM user rights to create and assign roles, but limit the type of policies available
- IAM- Switch role for AWS access and policies limit
- IAM policy allow creation of policies, but disallow changes of own account
- Amazon IAM policy: restrict user to create group/role only if one of the attached policy is BaseDeny
- AWS IAM Role Policy Resource Restriction
- AWS IAM: How to prevent privilege elevation with IAM policies?
- AWS IAM Policy to allow user to create IAM User with specific Policy/Roles