By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

SCP for iam:CreateUser

0

I'm trying to setup a scp to prevent iam:CreateUser and iam:CreateAccessKey for all the IAM users except the administrators. The issue is administrators IAM role arn is like arn:aws:iam::--------:role/aws-reserved/sso.amazonaws.com/eu-north-1/AWSReservedSSO_AWSAdministratorAccess and its dynamically changes for every account.

Any idea how I can define a common IAM role arn which covers all administrator's IAM roles across my accounts

Topics
Security, Identity, & ComplianceManagement & Governance
Tags
Security, Identity, & ComplianceAWS Identity and Access ManagementIAM PoliciesService Control Policy
Language
English
rePost-User-0355221
asked a year ago641 views
2 Answers
0
Accepted Answer

Hello, Please review the below example of such an SCP policy:

A few highlights:

  • Your referenced ARN suggests that you are trying to create an common permission set with AWS IAM Identity Center, and apply the common permission set to multiple accounts that multiple administrators can assume a role into to make administrative changes. Below in the SCP I have replicated such a reference with the AWS Principal ARN list. Note - You can add multiple entries into the list to cover multiple applied SSO permission sets.
  • Also notice the "*" within the policy to cover the changing account fields, and the SSO user reference that's appended on the end of the AWSReservedSSO role ARN. Its always best practice to be as explicit as reasonably possible, but I just wanted to highlight the trailing * for your attention to adjust accordingly.

Hope this helps !

{ "Version": "2012-10-17", "Statement": [ { "Sid": "DenyAccessWithException", "Effect": "Deny", "Action": [ "iam:CreateUser", "iam:CreateAccessKey" ], "Resource": [ "*" ], "Condition": { "StringNotLike": { "aws:PrincipalArn": [ "arn:aws:iam::*:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_AWSAdministratorAccess_*" ] } } } ] }

  • Lewis
AWS
LewisG
answered a year ago
0

Take a look at this: Prevent IAM users and roles from making specified changes, with an exception for a specified admin role.

profile pictureAWS
EXPERT
kentrad
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content