Al usar AWS re:Post, aceptas las AWS re:Post Términos de uso
AWS re:Postre:Post

SCP for iam:CreateUser

0

I'm trying to setup a scp to prevent iam:CreateUser and iam:CreateAccessKey for all the IAM users except the administrators. The issue is administrators IAM role arn is like arn:aws:iam::--------:role/aws-reserved/sso.amazonaws.com/eu-north-1/AWSReservedSSO_AWSAdministratorAccess and its dynamically changes for every account.

Any idea how I can define a common IAM role arn which covers all administrator's IAM roles across my accounts

Temas
Seguridad, identidad y cumplimientoGestión y gobierno
Etiquetas
Seguridad, identidad y cumplimientoAWS Identity and Access ManagementPolíticas de IAMPolítica de control de servicios
Idioma
English
rePost-User-0355221
preguntada hace un año665 visualizaciones
2 Respuestas
0
Respuesta aceptada

Hello, Please review the below example of such an SCP policy:

A few highlights:

  • Your referenced ARN suggests that you are trying to create an common permission set with AWS IAM Identity Center, and apply the common permission set to multiple accounts that multiple administrators can assume a role into to make administrative changes. Below in the SCP I have replicated such a reference with the AWS Principal ARN list. Note - You can add multiple entries into the list to cover multiple applied SSO permission sets.
  • Also notice the "*" within the policy to cover the changing account fields, and the SSO user reference that's appended on the end of the AWSReservedSSO role ARN. Its always best practice to be as explicit as reasonably possible, but I just wanted to highlight the trailing * for your attention to adjust accordingly.

Hope this helps !

{ "Version": "2012-10-17", "Statement": [ { "Sid": "DenyAccessWithException", "Effect": "Deny", "Action": [ "iam:CreateUser", "iam:CreateAccessKey" ], "Resource": [ "*" ], "Condition": { "StringNotLike": { "aws:PrincipalArn": [ "arn:aws:iam::*:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_AWSAdministratorAccess_*" ] } } } ] }

  • Lewis
AWS
LewisG
respondido hace un año
0

Take a look at this: Prevent IAM users and roles from making specified changes, with an exception for a specified admin role.

profile pictureAWS
EXPERTO
kentrad
respondido hace un año

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas

Contenido relevante