Skip to content

Generate Deny IAM Admin Permissions Boundary Policy

You can generate an AWS IAM Permissions Boundary policy that denies the permissions that allow an IAM role or user to administer IAM with:

GET /policy/aws/permission-boundary/deny-iam-admin (Try it!)

This permissions boundary policy is useful for removing IAM administration privileges from an IAM principal that is over-permissioned but you can not or prefer not to adjust the Identity policies granting the excess permissions.

Example use cases:

  • a SOC needs to triage admin permissions in production while follow-up occurs in the upstream delivery process
  • a CI/CD system wants to execute with both a fully-privileged and a less-privileged role but maintain only one policy granting privileges
  • you're not sure where the IAM admin permissions are being allowed, but you need them gone

The response is an AWS Identity policy with two statements:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyIAMAdministerResource",
      "Effect": "Deny",
      "Action": [
        "iam:AddRoleToInstanceProfile",
        "iam:AddUserToGroup",
        "iam:AttachGroupPolicy",
        "...",
        "iam:UploadSSHPublicKey"
      ],
      "Resource": "*"
    },
    {
      "Sid": "AllowPermissionsGrantedByOtherPolicies",
      "Effect": "Allow",
      "Action": "*",
      "Resource": "*"
    }
  ]
}

The DenyIAMAdministerResource statement denies the +95 IAM permissions that k9 Security classifies as providing the administer-resource capability. See the access-capabilities API for the full list.

The AllowPermissionsGrantedByOtherPolicies statement allows all other permissions that were granted to the principal by Identity and Resource policies. A permissions boundary does not grant any new permissions (details).

Note: That Permissions Boundaries do not grant new permissions is a very important difference between Permissions Boundaries and Identity policies. Do not use this policy as an Identity policy. If you want to work with Identity policies, use the Generate 'Deny IAM Admin' Identity policy API instead.

Using the generated policy

To use the generated policy, you must:

  1. Create a managed policy in your AWS account(s) with the contents of the generated policy, named e.g. Deny-IAM-Admin-PermBoundary
  2. Set the managed policy as a permission boundary on the IAM role or user (details)

Request Headers

Set the Content-Type header to application/json

Request Path Parameters

Not Applicable

Request Body

Not Applicable

Response

Success

When you successfully generate a policy, the API will respond with:

Response Status Code: 200 (OK)

Response Body: (Try it!)

Last update: March 28, 2024