1回答
- 新しい順
- 投票が多い順
- コメントが多い順
1
but i noticed that even after denying all iam action for this user other users are able to add this user in other groups.
When you add an user to a specific group, you call AddUserToGroup
action internally. However, this documentation indicates that the action AddUserToGroup
operates on group resource, not user.
Therefore the statement you provided can prevent all users from being added to the Admin
group, but you cannot prevent any user (includes dev-admin
) from being added to any other group.
回答済み 1年前
関連するコンテンツ
- 質問済み 1ヶ月前
- AWS公式更新しました 2年前
well tried that too and changed the stuff littile bit but still its not working... { "Sid": "dontAddinAnyGroup", "Effect": "Deny", "Action": "iam:AddUserToGroup", "Resource": "", "Condition": { "ArnLike": { "aws:PrincipalArn": "arn:aws:iam:::user/dev-admin" } } }
No, this statement won't work either. The
Condition
element withaws:PrincipalArn
controls which principal (role, user) will be denied to invoke the actionAddUserToGroup
, not which target user will be prevented from being added to the group.This statement will forbid
dev-admin
user to add any user to any group, but other users with this policy can still adddev-admin
to any group.If you want to protect
dev-admin
user from being modified, you should deny user or group administration actions unconditionally, e.g.,okay thank you so much :)