Skip to content

Generate Deny IAM Admin Identity Policy

You can generate an AWS IAM Identity policy that denies the permissions that allow an IAM role or user to administer IAM with:

GET /policy/aws/identity/deny-iam-admin (Try it!)

This identity policy is useful for removing IAM administration privileges from an IAM principal that is over-permissioned but you can not or prefer not to adjust the Identity policies granting the excess permissions. (You can also accomplish this with the 'Deny IAM Admin' Permissions Boundary policy)

Example use cases:

  • a SOC needs to triage admin permissions in production while follow-up occurs in the upstream delivery process
  • a CI/CD system wants to execute with both a fully-privileged and a less-privileged role but maintain only one policy granting privileges
  • you're not sure where the IAM admin permissions are being allowed, but you need them gone

The response is an AWS Identity policy with one statement:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyIAMAdministerResource",
      "Effect": "Deny",
      "Action": [
        "iam:AddRoleToInstanceProfile",
        "iam:AddUserToGroup",
        "iam:AttachGroupPolicy",
        "...",
        "iam:UploadSSHPublicKey"
      ],
      "Resource": "*"
    }
  ]
}

The DenyIAMAdministerResource statement denies the +95 IAM permissions that k9 Security classifies as providing the administer-resource capability. See the access-capabilities API for the full list.

Using the generated policy

To use the generated policy, you have two options:

Option 1 - Attach Managed Policy

  1. Create a managed policy in your AWS account(s) with the contents of the generated policy, named e.g. Deny-IAM-Admin
  2. Attach the managed policy to the IAM role, user, or group (details)

Option 2 - Embed Inline Policy

  1. Navigate to the IAM role, user, or group to configure
  2. Select 'Permissions' → 'Add Permissions' → 'Create Inline Policy'
  3. Create an inline policy with the contents of the generated policy, named e.g. DenyIAMAdminPrivs

Request Headers

Set the Content-Type header to application/json

Request Path Parameters

Not Applicable

Request Body

Not Applicable

Response

Success

When you successfully generate a policy, the API will respond with:

Response Status Code: 200 (OK)

Response Body: (Try it!)

Last update: March 28, 2024