Reputation: 3
How to create an AWS IAM role that that prevents an AWS Identity Center user from altering permissions of another Identity Center User
I want to create an AWS IAM role for a trusted user that has full access EXCEPT to modify the permissions/role of the account owner. A role that allows everything except the ability to "kill the king" so to speak. Since we're using AWS Identity Center with SSO, there is no traditional ARN's that I can build a policy around. Anyone have experience with this type of issue? The rationale here is to safeguard ourselves from this trusted user not making a mistake and removing access to the super admin...
I tried creating a policy that allowed '' but denied 'iam:' for a user resource, but I could not find an ARN for the super admin to protect, and after some looking, understood that AWS Identity Center users do not have ARN's.
Upvotes: 0
Views: 41
Answers (0)
Related Questions
- AWS - How to give an IAM Identity user access to console
- How to create AWS Console Deeplinks behind IAM Identity Center login?
- AWS Redshift Serverless IAM Identity Center Autnethication not working
- How to assume an AWS role from another AWS role?
- AWS Identity Center without User Provisioning
- Difference between IAM role and IAM user in AWS
- How to add access to EKS aws-auth config map for users managed by IAM Identity Center