Mandy
Reputation: 33
AWS Policy Restrict Permission Based On Service
I need to provide IAM role creation permission to a user but with a condition that if he does it only from some AWS service. For example, if a user running cloudformation stack and attempting to create an IAM role, he should be allowed. if he manually creating role it should be denied. or if a person creating a codepipeline he should have permission to create the role.
Upvotes: 0
Views: 173
Answers (1)
Dude0001
Reputation: 3430
The concept you are looking for sounds like service-linked roles.
https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html
However, I don't think it is supported for CloudFormation or CodePipeline
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html
Upvotes: 1
Related Questions
- IAM user policy that can only triggered by a AWS service (Condition)
- IAM policy problem I want to attach only one policy and deny others
- AWS IAM Roles : How to identify specific permission for each AWS service
- AWS Deny Policy Role specific account
- AWS IAM Policy grant permissions for some EC2 instances
- IAM- Switch role for AWS access and policies limit
- IAM policy to restrict EC2 access based on tag
- AWS IAM Policy to Grant All service permission to specific instances
- Amazon IAM policy: restrict user to create group/role only if one of the attached policy is BaseDeny
- AWS IAM Policy for restricting instances by associated IAM role