AWS re:Post을(를) 사용하면 다음에 동의하게 됩니다. AWS re:Post 이용 약관
AWS re:Postre:Post

Why is a AWSReservedSSO_PowerUserAccess policy holder blocked from performing an action?

0

When testing out AWS SSO before a full rollout, we've run into a few errors with permissions. Most are non-issues, but this error (below) surprised me-- why would a PowerUser policy holder not have the ability to perform every action they try to perform?

Failed to describe Instance Profiles
Failed to describe Instance Profiles. User: arn:aws:sts::x123x:assumed-role/AWSReservedSSO_PowerUserAccess_x123x/dev@email.com is not authorized to perform: iam:ListInstanceProfiles on resource: arn:aws:iam::x123x:instance-profile/ because no identity-based policy allows the iam:ListInstanceProfiles action.
주제
보안, 신원 및 규정 준수
태그
AWS 자격 증명 및 액세스 관리AWS IAM 자격 증명 센터IAM 정책
언어
English
nrmill
질문됨 한 달 전171회 조회
1개 답변
2
수락된 답변

Hello,

The PowerUser will have access to every service except for some permissions regarding the IAM service. As you can see, you are trying to perform an action on the IAM service iam:ListInstanceProfiles. The Power User does not have access to the IAM API actions because managing users is the most powerful tool in AWS. The reason why managing users is so powerful is that if somebody has full access to the IAM service, that identity can grant himself or other users any permission that that identity wants.

PowerUserAccess = Admin Acess - IAM

profile picture
Julian
답변함 한 달 전
profile picture
전문가
Gary Mclean
검토됨 한 달 전
profile picture
전문가
Osvaldo Marte
검토됨 한 달 전
  • nrmill
    한 달 전

    Thank you so much, this makes perfect sense! What is the best-practice for allowing those who need to assign necessary IAM roles to EC2 instances/other objects to do so without allowing them full access to all IAM actions? Do I just need to make a custom policy that allows iam:PassRole for the relevant IAM role(s)?

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠