Allow a user to create an IAM profile only for specific kind of resources

Question

Hey guys,

My question might be funky but it has a real purpose on our end.

I'm trying to create an IAM profile that allow another user to create IAM profile but only for specific kind of resource. I will take the example of SQS service.
We need a news SQS and for that, we will trigger a new deployment on our deployment tool. Our deployment tool must have limited access to avoid any troubles, so that deployment tool needs to have a profile that allow the creation of an SQS, a user and an IAM profile that will allow that user to use that SQS.

The deployment tool should only be able to create an IAM profile that interact with SQS, nothing else. Is this even possible ? I have been able to allow a user to create IAM profile but for any type of service, which is not what I'm looking for

Thank you in advance for you help.

Regards,

Vincent

Answer

This sounds like the perfect use case for IAM Permissions Boundaries: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html
Also see the blog post here explaining a use case that sounds very similar to what you're describing: https://aws.amazon.com/blogs/security/when-and-where-to-use-iam-permissions-boundaries/

Allow a user to create an IAM profile only for specific kind of resources

Contenido relevante