Menu
I have a test account where I'd like to give developers access to try out anything they'd like EXCEPT I don't want to give them permissions to add / delete / mess with other users. I tried allowing everything and then denying IAM access but then they couldn't change their own password. For example:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"*"
],
"Resource": [
"*"
]
},
{
"Effect": "Deny",
"Action": [
"iam:*"
],
"Resource": [
"*"
]
},
]
}
This made it so users got the following error when they tried to login and change their pw:
User is not authorized to perform iam:ChangePassword
400
For a more concise answer you can use wild cards. Not perfectly future proof but those are most of the damaging verbs. :)
Also I found the policy simulator very useful: IAM policy simulator
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
},
{
"Effect": "Deny",
"Action": [
"iam:Add*",
"iam:Create*",
"iam:Deactivate*",
"iam:Delete*",
"iam:Detach*",
"iam:Enable*",
"iam:PassRole",
"iam:Put*",
"iam:Remove*",
"iam:Resync*",
"iam:Set*",
"iam:Simulate*",
"iam:Update*",
"iam:Put*"
],
"Resource": "*"
}
]}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
