2

I am relatively new to AWS, I own the primary AWS account, but need to create a "super-user" account that only has rights to create new users and can only add those users to a set predefined groups with their respective policies (eg. SES-Readonly and SES-FullAccess). I do not want that super-user to be able to create any other groups, nor should they be able to modify any policies applied to the groups. I also do not want this user to have access to the other AWS services (eg. EC2, S3 etc). Is this possible? If so, what would the policy look like?

I have read most of the IAM documentation, and looked at their examples, but I didn't find any examples that were similar to my use case :(

Thanks in advance!

Grant Mac
  • 21
  • 4

1 Answers1

3

Yes, you need to create an IAM user and then give it this iam policy.

{
  "Statement": [
    {
      "Sid": "Stmt1375475989975",
      "Action": [
        "iam:AddUserToGroup",
        "iam:CreateUser"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:iam::152997954706:user/AMISTACK-02-WEB-User-WYEMFOJZ4BDP"
    }
  ]
}

arn:aws:iam::152997954706:user/AMISTACK-02-WEB-User-WYEMFOJZ4BDP is an example user ARN. You'll need to add in yours specific user's arn.

An easy way to create policy files is to use: http://awspolicygen.s3.amazonaws.com/policygen.html

BrianJakovich
  • 1,604
  • 1
  • 13
  • 23
  • Yeah, +1 for the [AWS Policy Generator](http://awspolicygen.s3.amazonaws.com/policygen.html). – Ryan Parman Aug 03 '13 at 06:23
  • Thank you! That is great! I used the Policy Generator before, but I don't see a way I can prevent this "super-user" from adding users to all groups. For example, I only want this "super-user" to add users to Group A and Group B. I do not want the "super-user" to be able to add users to a Super Admin group. Is it possible to restrict which groups the "super-user" can add to? – Grant Mac Aug 05 '13 at 13:51
  • 2
    Resource level permissions are not setup for IAM users themselves yet. You can specify an action that users are allowed or denied to perform, but you cannot set via the resource level yet. That feature has only been implemented for ec2 and rds. – BrianJakovich Aug 05 '13 at 15:00