Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

SCP for iam:CreateUser

0

I'm trying to setup a scp to prevent iam:CreateUser and iam:CreateAccessKey for all the IAM users except the administrators. The issue is administrators IAM role arn is like arn:aws:iam::--------:role/aws-reserved/sso.amazonaws.com/eu-north-1/AWSReservedSSO_AWSAdministratorAccess and its dynamically changes for every account.

Any idea how I can define a common IAM role arn which covers all administrator's IAM roles across my accounts

Themen
Sicherheit, Identität & KonformitätManagement & Unternehmensführung
Tags
Sicherheit, Identität & KonformitätAWS Identity and Access ManagementIAM-RichtlinienRichtlinie zur Dienstleistungskontrolle
Sprache
English
rePost-User-0355221
gefragt vor einem Jahr665 Aufrufe
2 Antworten
0
Akzeptierte Antwort

Hello, Please review the below example of such an SCP policy:

A few highlights:

  • Your referenced ARN suggests that you are trying to create an common permission set with AWS IAM Identity Center, and apply the common permission set to multiple accounts that multiple administrators can assume a role into to make administrative changes. Below in the SCP I have replicated such a reference with the AWS Principal ARN list. Note - You can add multiple entries into the list to cover multiple applied SSO permission sets.
  • Also notice the "*" within the policy to cover the changing account fields, and the SSO user reference that's appended on the end of the AWSReservedSSO role ARN. Its always best practice to be as explicit as reasonably possible, but I just wanted to highlight the trailing * for your attention to adjust accordingly.

Hope this helps !

{ "Version": "2012-10-17", "Statement": [ { "Sid": "DenyAccessWithException", "Effect": "Deny", "Action": [ "iam:CreateUser", "iam:CreateAccessKey" ], "Resource": [ "*" ], "Condition": { "StringNotLike": { "aws:PrincipalArn": [ "arn:aws:iam::*:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_AWSAdministratorAccess_*" ] } } } ] }

  • Lewis
AWS
LewisG
beantwortet vor einem Jahr
0

Take a look at this: Prevent IAM users and roles from making specified changes, with an exception for a specified admin role.

profile pictureAWS
EXPERTE
kentrad
beantwortet vor einem Jahr

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt