En utilisant AWS re:Post, vous acceptez les AWS re:Post Conditions d’utilisation
AWS re:Postre:Post

Custom IAM policy

0

Hi Community,

assume we have the following policy for an IAM user

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "iam:GetUser",
                "iam:CreateUser",
                "iam:CreateAccessKey"
            ],
            "Resource": "arn:aws:iam::*:user/iot.*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "iam:AddUserToGroup",
            "Resource": "arn:aws:iam::*:group/CUSTOMGROUP"
        }
    ]
}

He should now be able to perform GetUser, CreateUser and CreateAccessKey for all IAM users starting with iot. Second rule should allow him to add IAM user to the Group CUSTOMGROUP

Everything works fine, but I want that the user is only allowed to add other IAM users starting with iot. to the group CUSTOMGROUP How can this be achieved? I was thinking about adding something like

"Condition": {"StringLike": {"iam:user": ["iot.*"]}}

This does not work... any idea if this is possible at all?

Sujets
Sécurité, identité et conformité
Balises
Sécurité, identité et conformitéGestion des identités et des accès AWSPolitiques IAM
Langue
English
hrc
demandé il y a un an255 vues
1 réponse
2
Réponse acceptée

Hello,

The action "AddUserToGroup" does not support any condition key. Hence, it is possible to restrict this action on specific username.

Our IAM user guide has a comprehensive listing of each service, and the Access Level required, Resource Types allowed, and Condition Keys that can be used with their actions [1].

However that there is an existing feature request in place for this. As is the case with all feature requests, the internal team takes them seriously and evaluates every request, but we are unable to share any rough ETA for delivering this feature as inclusion of any new feature needs rigorous testing and shall be prioritized along with the team's additional workload. However, any new announcements will be made in our What's New page What's New page [https://aws.amazon.com/new/] and our Official Blog [https://aws.amazon.com/blogs/aws/].

[1]https://docs.aws.amazon.com/service-authorization/latest/reference/list_identityandaccessmanagement.html

AWS
INGÉNIEUR EN ASSISTANCE TECHNIQUE
AWS-User-6158549
répondu il y a un an
  • hrc
    il y a un an

    excellent and fast feedback, thank you.

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Instructions pour répondre aux questions

Contenus pertinents