Exclude Permissions from an Admin AWS Account?

Question

I want to create a user who has AdministratorAccess and manage everything except for example deny Delete and Update actions in IAM

I tried to do this

• Create Admin User
• Create a policy that denies Delete and Update Operations in IAM
• Attach that policy to the user
• User has now (AdministratorAccess + MyPolicy)

But

• User is still able to delete and update users in IAM
• I think this is because AdministratorAccess

Is there a way to do this, without trying to create a complicated multiple Policies ?

Update

Here is the policy I created

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "StmtXXXX",
            "Effect": "Deny",
            "Action": [
                "iam:ChangePassword",
                "iam:DeactivateMFADevice",
                "iam:DeleteAccessKey",
                "iam:DeleteAccountAlias",
                "iam:DeleteAccountPasswordPolicy",
                "iam:DeleteGroup",
                "iam:DeleteGroupPolicy",
                "iam:DeleteInstanceProfile",
                "iam:DeleteLoginProfile",
                "iam:DeleteOpenIDConnectProvider",
                "iam:DeletePolicy",
                "iam:DeletePolicyVersion",
                "iam:DeleteRole",
                "iam:DeleteRolePolicy",
                "iam:DeleteSAMLProvider",
                "iam:DeleteSSHPublicKey",
                "iam:DeleteServerCertificate",
                "iam:DeleteSigningCertificate",
                "iam:DeleteUser",
                "iam:DeleteUserPolicy",
                "iam:DeleteVirtualMFADevice",
                "iam:RemoveClientIDFromOpenIDConnectProvider",
                "iam:RemoveRoleFromInstanceProfile",
                "iam:RemoveUserFromGroup",
                "iam:UpdateAccessKey",
                "iam:UpdateLoginProfile",
                "iam:UpdateSSHPublicKey"
            ],
            "Resource": [
                "arn:aws:iam::1234:user/dummyadmin"
            ]
        }
    ]
}

Update 2

After setting resource to arn:aws:iam::1234, it worked!

Answer 1

A potentially easier option is to assign permissions for everything except IAM. This can accomplished with this policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "NotAction": "iam:*",
      "Resource": "*"
    }
  ]
}

Note the use of NotAction to exclude IAM.

It's not quite the same as your policy (which can use CreateUser), but is a very efficient way to give somebody Power User permissions, without the ability to use IAM.

Answer 2

Chance resource to

arn:aws:iam::1234