AWS IAM Allow Only Resource Creation

Question

I'm trying to solve a problem with AWS IAM policies.

I need to allow certain users to only delete/modify resources that are tagged with their particular username (This I've solved) while also being able to create any new aws resource.

The part I haven't solved is need to be able to create resources without ability modifying any existing resources (unless they have the right tag).

Is there an existing AWS policy example that allows a user to create any resource (without granting delete/modify)? Is there a way to allow this without having to list every single aws offering and continuously update it for new offerings?

Answer 1

I managed to solve this problem with a rather ugly solution, but as far as I can tell it's the only solution.

I found a list of all aws actions: https://github.com/rvedotrc/aws-iam-reference

I then parsed out potentially troubling functions like anything with Delete or Terminate in the action name. I used vim/grep for this.

After that I broke that up into multiple aws_iam_group_policy statements. Each statement was attached to a corresponding group. The target users are then added to each of those groups.

Unfortunately, this is pretty ugly and required 5 different groups and policies, but it's the solution I arrived at.

Answer 2

AdministratorAccess will give all rights to create all services.

See https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_administrator