使用 AWS re:Post 即表示您同意 AWS re:Post 使用條款

BUG in IAM? Even if denying all actions for particular user that having administrator access. (other users are able to add this user in other groups.

0

Hey everyone,

There is one scenario i have noticed today. So i have one user which has administrator access i wanted that none of the othe users should be able to perform any actions on this user such as all iam actions should be restricted. but i noticed that even after denying all iam action for this user other users are able to add this user in other groups. which causes loss of the administrator power for this user. devadminuser adding that user in a group with limited permission attached to the group user got added to the group

Now the user has two policy attached one is administrator access and other is policy with some deny access which causes loss of administrator access.

Please help

Best regards, Manav Dakshini.

1 個回答
1

but i noticed that even after denying all iam action for this user other users are able to add this user in other groups.

When you add an user to a specific group, you call AddUserToGroup action internally. However, this documentation indicates that the action AddUserToGroup operates on group resource, not user.

Therefore the statement you provided can prevent all users from being added to the Admin group, but you cannot prevent any user (includes dev-admin) from being added to any other group.

profile picture
已回答 1 年前
  • well tried that too and changed the stuff littile bit but still its not working... { "Sid": "dontAddinAnyGroup", "Effect": "Deny", "Action": "iam:AddUserToGroup", "Resource": "", "Condition": { "ArnLike": { "aws:PrincipalArn": "arn:aws:iam:::user/dev-admin" } } }

  • No, this statement won't work either. The Condition element with aws:PrincipalArn controls which principal (role, user) will be denied to invoke the action AddUserToGroup, not which target user will be prevented from being added to the group.

    This statement will forbid dev-admin user to add any user to any group, but other users with this policy can still add dev-admin to any group.

    If you want to protect dev-admin user from being modified, you should deny user or group administration actions unconditionally, e.g.,

    {
      "Sid": "DenyUserAndGroupWrite",
      "Effect": "Deny",
      "Resource": "*",
      "Action": [
        "iam:CreateGroup",
        "iam:CreateUser",
        "iam:UpdateGroup",
        "iam:UpdateUser",
        "iam:DeleteGroup",
        "iam:DeleteUser",
        "iam:AddUserToGroup",
        "iam:RemoveUserFromGroup",
        "iam:AttachUserPolicy",
        "iam:AttachGroupPolicy",
        "iam:PutUserPolicy",
        "iam:PutGroupPolicy",
        "iam:DetachUserPolicy",
        "iam:DetachGroupPolicy",
        "iam:DeleteUserPolicy",
        "iam:DeleteGroupPolicy"
      ]
    }
  • okay thank you so much :)

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南