AWS re:Post을(를) 사용하면 다음에 동의하게 됩니다. AWS re:Post 이용 약관

BUG in IAM? Even if denying all actions for particular user that having administrator access. (other users are able to add this user in other groups.

0

Hey everyone,

There is one scenario i have noticed today. So i have one user which has administrator access i wanted that none of the othe users should be able to perform any actions on this user such as all iam actions should be restricted. but i noticed that even after denying all iam action for this user other users are able to add this user in other groups. which causes loss of the administrator power for this user. devadminuser adding that user in a group with limited permission attached to the group user got added to the group

Now the user has two policy attached one is administrator access and other is policy with some deny access which causes loss of administrator access.

Please help

Best regards, Manav Dakshini.

1개 답변
1

but i noticed that even after denying all iam action for this user other users are able to add this user in other groups.

When you add an user to a specific group, you call AddUserToGroup action internally. However, this documentation indicates that the action AddUserToGroup operates on group resource, not user.

Therefore the statement you provided can prevent all users from being added to the Admin group, but you cannot prevent any user (includes dev-admin) from being added to any other group.

profile picture
답변함 일 년 전
  • well tried that too and changed the stuff littile bit but still its not working... { "Sid": "dontAddinAnyGroup", "Effect": "Deny", "Action": "iam:AddUserToGroup", "Resource": "", "Condition": { "ArnLike": { "aws:PrincipalArn": "arn:aws:iam:::user/dev-admin" } } }

  • No, this statement won't work either. The Condition element with aws:PrincipalArn controls which principal (role, user) will be denied to invoke the action AddUserToGroup, not which target user will be prevented from being added to the group.

    This statement will forbid dev-admin user to add any user to any group, but other users with this policy can still add dev-admin to any group.

    If you want to protect dev-admin user from being modified, you should deny user or group administration actions unconditionally, e.g.,

    {
      "Sid": "DenyUserAndGroupWrite",
      "Effect": "Deny",
      "Resource": "*",
      "Action": [
        "iam:CreateGroup",
        "iam:CreateUser",
        "iam:UpdateGroup",
        "iam:UpdateUser",
        "iam:DeleteGroup",
        "iam:DeleteUser",
        "iam:AddUserToGroup",
        "iam:RemoveUserFromGroup",
        "iam:AttachUserPolicy",
        "iam:AttachGroupPolicy",
        "iam:PutUserPolicy",
        "iam:PutGroupPolicy",
        "iam:DetachUserPolicy",
        "iam:DetachGroupPolicy",
        "iam:DeleteUserPolicy",
        "iam:DeleteGroupPolicy"
      ]
    }
  • okay thank you so much :)

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠