0

I have a statement in terraform that is as follows:

statement {
    sid    = "DenyDelete"
    effect = "Deny"
    actions = [
      "iam:Delete*"
    ]
    resources = [
      "arn:aws:iam::123456789012:user/(?!userA|userB)",
    ]
}

With this statement I am hoping to deny iam:delete actions on all users except userA and userB. i.e. the regex will match any string that starts with arn:aws:iam::123456789012:user/ and is followed by anything but userA and userB. I have tested the regex arn:aws:iam::123456789012:user\/(?!userA|userB) in https://regex101.com/ and I have confirmed it will match any user ARN except that of userA and userB. However, deploying this statement does not seem to give the desired results and I presume it is because I am using the regex syntax wrong in terraform - does anyone know the correct regex syntax so that resources will include all users except userA and userB? Note that I cannot use NotResource as that will include all other resources including non-users.

Martin Atkins
  • 62,420
  • 8
  • 120
  • 138
Sabo Boz
  • 1,683
  • 4
  • 13
  • 29

1 Answers1

2

This is more an AWS IAM question. You can use wildcards but not regular expressions.

If you want to protect a list of users and you them upfront you can add those into the resources. You said you can't use NotResource, but I think you could if you limit your action to iam:DeleteUser and leave the iam:Delete* to whatever you want, deny or allow.

If you users are tagged you can also use ABAC (Attribute Based Access Control) instead of resource based. In this case you would write an IAM policy to check for a tag on the resources. Something like:

statement {
    sid    = "DenyDelete"
    effect = "Deny"
    actions = [ 
      "iam:DeleteUser"
    ]
    condition {
      test     = "StringEquals"
      variable = "iam:ResourceTag/ProtectedUser"
      values   = ["true"]
    }     
}
jkrnak
  • 956
  • 6
  • 9