I have this managed policy for AWS Developer Power User, which gives the user access to all AWS resources and actions except IAM and Organization (Just one level below Admin role).
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Federated:
- !Sub "arn:aws:iam::${AWS::AccountId}:saml-provider/ABC"
Action: 'sts:AssumeRoleWithSAML'
Condition:
StringEquals:
SAML:aud: "https://signin.aws.amazon.com/saml"
Path: /
Policies:
- PolicyName: ABC
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
NotAction:
- iam:*
- organizations:*
- account:*
Resource: '*'
- Effect: Allow
Action:
- iam:CreateServiceLinkedRole
- iam:DeleteServiceLinkedRole
- iam:ListRoles
- organizations:DescribeOrganization
- account:ListRegions
Resource: '*'
I want to restrict the access to the user between particular dates (For ex during deployment schedule) and added below code for Date operator.
Condition:
DateGreaterThan:
aws:CurrentTime: '2020-04-01T00:00:00Z'
DateLessThan:
aws:CurrentTime: '2020-06-30T23:59:59Z'
However adding the above condition clause to the PowerUserManaged policy throws error 400 Malformed during deployment of the policy in AWS Console.
Is it possible to add the date condition clause to PowerUserAccess managed policy ? https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_developer-power-user
If you want to use the IAM managed policy you can just add another policy to the user to deny to the user if they're outside the date range.
An explicit deny will always override any allow statement, for more information over policy evaluation check out the Policy Evaluation page on AWS.