How to Create a Admin Group with AdministratorAccess access that CANNOT create new users or groups

169 views Asked by At

I am new to AWS and find it unnecessarily disorganized and complicated.

I would like to give a developer access to the account at the AdministratorAccess level but limit that access by not allowing him to create additional users or groups. Without limiting this, he can create a user that has access to billing. I want to make sure no one has access to billing or can create users that can access billing.

How do I do that?

1

There are 1 answers

2
Dennis Traub On BEST ANSWER

You can create a customer managed IAM policy based on Administrator Access and add an explicit Deny statement similar to the following:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*"
        },
        {
            "Effect": "Deny",
            "Action": [
                "iam:CreateGroup",
                "iam:CreateUser",
                ...
            ],
            "Resource": "*"
        }
    ]
}

Note: The above restrictions will not be sufficient, they only demonstrate the general principle. To effectively restrict users you would also have to deny actions that attach managed policies or put inline policies to users or groups and actions that change already attached policies.

In general, it is advisable to follow the Principle of Least Privilege and give users only the permissions that they actually need. Only in rare cases you should start with AdministratorAccess and then incrementally restrict the permissions. It is considered best practice to start with no permissions and then incrementally add what is needed.


P.S.: You could also implement a mechanism that automatically attaches the following policy to all users to effectively deny all cost explorer and billing-related actions:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "aws-portal:*Billing",
                "aws-portal:*Usage",
                "aws-portal:*PaymentMethods",
                "ce:UpdatePreferences",
                "ce:CreateReport",
                "ce:UpdateReport",
                "ce:DeleteReport",
                "ce:CreateNotificationSubscription",
                "ce:UpdateNotificationSubscription",
                "ce:DeleteNotificationSubscription",
                "cur:DescribeReportDefinitions",
                "cur:PutReportDefinition",
                "cur:ModifyReportDefinition",
                "cur:DeleteReportDefinition",
                "purchase-orders:*PurchaseOrders"
            ],
            "Resource": "*"
        }
    ]
}