By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

BUG in IAM? Even if denying all actions for particular user that having administrator access. (other users are able to add this user in other groups.

0

Hey everyone,

There is one scenario i have noticed today. So i have one user which has administrator access i wanted that none of the othe users should be able to perform any actions on this user such as all iam actions should be restricted. but i noticed that even after denying all iam action for this user other users are able to add this user in other groups. which causes loss of the administrator power for this user. devadminuser adding that user in a group with limited permission attached to the group user got added to the group

Now the user has two policy attached one is administrator access and other is policy with some deny access which causes loss of administrator access.

Please help

Best regards, Manav Dakshini.

Topics
Security, Identity, & ComplianceManagement & Governance
Tags
Security, Identity, & ComplianceAWS Identity and Access ManagementAWS Management ConsoleAWS Account ManagementIAM Policies
Language
English
manav
asked 7 months ago255 views
1 Answer
1

but i noticed that even after denying all iam action for this user other users are able to add this user in other groups.

When you add an user to a specific group, you call AddUserToGroup action internally. However, this documentation indicates that the action AddUserToGroup operates on group resource, not user.

Therefore the statement you provided can prevent all users from being added to the Admin group, but you cannot prevent any user (includes dev-admin) from being added to any other group.

profile picture
HS
answered 7 months ago
  • manav
    7 months ago

    well tried that too and changed the stuff littile bit but still its not working... { "Sid": "dontAddinAnyGroup", "Effect": "Deny", "Action": "iam:AddUserToGroup", "Resource": "", "Condition": { "ArnLike": { "aws:PrincipalArn": "arn:aws:iam:::user/dev-admin" } } }

  • HS
    7 months ago

    No, this statement won't work either. The Condition element with aws:PrincipalArn controls which principal (role, user) will be denied to invoke the action AddUserToGroup, not which target user will be prevented from being added to the group.

    This statement will forbid dev-admin user to add any user to any group, but other users with this policy can still add dev-admin to any group.

    If you want to protect dev-admin user from being modified, you should deny user or group administration actions unconditionally, e.g.,

    {
  "Sid": "DenyUserAndGroupWrite",
  "Effect": "Deny",
  "Resource": "*",
  "Action": [
    "iam:CreateGroup",
    "iam:CreateUser",
    "iam:UpdateGroup",
    "iam:UpdateUser",
    "iam:DeleteGroup",
    "iam:DeleteUser",
    "iam:AddUserToGroup",
    "iam:RemoveUserFromGroup",
    "iam:AttachUserPolicy",
    "iam:AttachGroupPolicy",
    "iam:PutUserPolicy",
    "iam:PutGroupPolicy",
    "iam:DetachUserPolicy",
    "iam:DetachGroupPolicy",
    "iam:DeleteUserPolicy",
    "iam:DeleteGroupPolicy"
  ]
}
  • manav
    7 months ago

    okay thank you so much :)

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content