I want to create a policy where the user is restricted from creating a role without my permission boundary! i tried using iam:AttachRolePolicy and Iam:putRolePermissionBoundary but not working still!
Asked
Active
Viewed 503 times
0
-
1It's hard to see what's going on without seeing what you were trying to do. Could you add the full policy you have? – Deiv Jan 30 '19 at 18:23
1 Answers
1
The config you are attempting would be accomplished if you granted the user the iam:CreateRole permission with a condition. For example if your permission boundary is a a policy called myPermissionBoundary then attaching the policy below would allow the user to create a role IFF the user also attached the permission boundary to that role.
{
"Sid": "CreateRoleIffPermInPlace",
"Effect": "Allow",
"Action": [
"iam:CreateRole"
],
"Resource": *,
"Condition": {
"StringLike": {
"iam:PermissionsBoundary": "arn:aws:iam::123456789012:policy/myPermissionBoundary"
}
}
}
Ian Jenkins
- 194
- 8
-
Good to know. Could you share what your solution is? You should add it here as a solution to your own question. – Ian Jenkins Feb 06 '19 at 21:12