1 Answer
- Newest
- Most votes
- Most comments
1
The following documentation shows that Condition keys cannot be set for the policies required to view IAM Roles and IAM Groups.
In other words, it would be difficult to display them in different environments.
https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsidentityandaccessmanagementiam.html
It is recommended to set the necessary ARNs in the resource section as it seems possible to narrow down the ARNs in the resource.
As an example, the following will limit the user and role details to those of the ARN set for the resource.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:ListUsers",
"iam:ListRoles",
"iam:ListGroups"
],
"Resource": ["*"]
},
{
"Effect": "Allow",
"Action": [
"iam:GetUser",
"iam:GetGroup",
"iam:GetRole"
],
"Resource": ["arn:aws:iam::AWS Account ID:user/IAM User Name",
"arn:aws:iam::AWS Account ID:role/IAM Role Name",
"arn:aws:iam::AWS Account ID:group/IAM Group Name"
]
}
]
}
Relevant content
- asked 3 years ago
- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 3 years ago