Skip to content

Generate Deny IAM Admin Permissions Boundary Policy

You can generate an AWS IAM Permissions Boundary policy that denies the permissions that allow an IAM role or user to administer IAM with:

GET /policy/permission-boundary/deny-iam-admin (Try it!)

This permissions boundary policy is useful for removing IAM administration privileges from an IAM principal that is over-permissioned but you can not or prefer not to adjust the policies granting the excess permissions. Example use cases:

  • a SOC needs to triage admin permissions in production while follow-up occurs in the upstream delivery process
  • a CI/CD system wants to execute with both a fully-privileged and a less-privileged role but maintain only one policy granting privileges
  • you're not sure where the IAM admin permissions are being allowed, but you need them gone

The response is an AWS Identity policy with two statements:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyIAMAdministerResource",
      "Effect": "Deny",
      "Action": [
        "iam:AddRoleToInstanceProfile",
        "iam:AddUserToGroup",
        "iam:AttachGroupPolicy",
        "...",
        "iam:UploadSSHPublicKey"
      ],
      "Resource": "*"
    },
    {
      "Sid": "AllowPermissionsGrantedByOtherPolicies",
      "Effect": "Allow",
      "Action": "*",
      "Resource": "*"
    }
  ]
}

The DenyIAMAdministerResource statement denies the +95 IAM permissions that k9 Security classifies as providing the administer-resource capability. See the access-capabilities API for the full list.

The AllowPermissionsGrantedByOtherPolicies statement allows all other permissions that were granted to the principal by Identity and Resource policies. A permissions boundary does not grant any new permissions (details).

To use the generated policy, you must:

  1. Create a managed policy in your AWS account(s)
  2. Set the managed policy as a permission boundary on the IAM role or user (details)

Request Headers

Set the Content-Type header to application/json

Request Path Parameters

Not Applicable

Request Body

Not Applicable

Response

Success

When you successfully generate a policy, the API will respond with:

Response Status Code: 200 (OK)

Response Body (Example): complete response json (Nov 14, 2022)

Last update: November 3, 2023