AWS Security Blog

How to Create a Limited IAM Administrator by Using Managed Policies

AWS Identity and Access Management (IAM) recently launched managed policies, which enable you to attach a single access control policy to multiple entities (IAM users, groups, and roles). Managed policies also give you precise, fine-grained control over how your users can manage policies and permissions for other entities. For example, you can control which managed policies a user can attach to or detach from specific entities. Using this capability, you now can now delegate management responsibilities by creating limited IAM administrators. These administrators have the ability to create users, groups, and roles; however, they can only grant access using a restricted set of managed policies. This post will walk you through creating a limited IAM administrator.

To follow along with this post, you will need to use the AWS Command Line Interface (CLI), and your default AWS CLI profile must also have full IAM privileges (iam:*). If you have not already set up the AWS CLI, Getting Set Up with the AWS Command Line Interface walks you through the configuration. 

Introducing limited administrative permissions

You can restrict the set of managed policies a privileged user can attach to other IAM entities by adding a Condition block to the privileged user’s policy with a condition that contains one or more managed policy Amazon Resource Names (ARNs). The new iam:PolicyArn condition key can be used to specify the set of managed policies that can be attached to a user, role, or group. You can leverage this functionality to create a limited IAM administrator.

Let’s say that you are kicking off a new large-scale project that includes a set of developers and a user who will act as the project administrator. The developers need full access to Amazon DynamoDB as well as read/write permissions to a specific Amazon S3 bucket. The project administrator requires IAM privileges, but only a limited set: she should be able to create users and generate access keys, and be able to grant permissions by using a well-defined set of managed policies. This prevents the project administrator from granting access to resources outside the project scope. For example, she should not be able to attach a policy to a user that grants access to Amazon EC2.

The rest of this blog post walks you through the AWS CLI steps to create and attach a customer managed policy to enable the limited IAM administrator use case. You will also create one more policy, which the limited IAM administrator can use to grant permissions to developers on the project.

The following diagram illustrates the IAM users and customer managed policies that you will create. The arrows illustrate how you will attach the policies to IAM users. You can see that there are two users, myproject-limited-admin and myprojectdev1. You will create the MyProjectLimitedAdminAccess policy and attach it to the limited IAM administrator, myproject-limited-admin, along with the preexisting AWS managed policy, IAMReadOnlyAccess. You will then create the MyProjectS3Access policy and attach it to the project developer, myprojectdev1, along with the AWS managed policy, AmazonDynamoDBFullAccess.

Diagram illustrating the IAM users and customer managed policies you will create

Create a policy with limited IAM administrator permissions by using the AWS CLI

First, you will create the MyProjectLimitedAdminAccess policy. It specifies the privileges for your limited IAM administrator, including the set of managed policies that the limited IAM administrator may attach and detach. This is the managed policy that you will attach to your limited IAM administrator later in the post.

To specify the set of managed policies that the limited IAM administrator may attach and detach, use the iam:PolicyArn condition key to list the ARNs of these policies inside the Condition block of MyProjectLimitedAdminAccess. By specifying the exact set of managed policies that the limited IAM administrator may attach, you prevent the limited IAM administrator from elevating her own privilege and gaining unauthorized access to your account. In this example, the limited IAM administrator can attach two managed policies to manage the project team whose members require S3 and DynamoDB access: the customer managed policy, MyProjectS3Access, and the AWS managed policy, AmazonDynamoDBFullAccess. I cover creating the MyProjectS3Access policy later in this post.

The MyProjectLimitedAdminAccess policy contains two statements (the full policy document follows). Each statement grants permissions to a different set of IAM actions and resources under optional conditions:

  • The first statement enables the limited IAM administrator to create and delete IAM users as well as manage their access keys and passwords.Note: In this simplified example, we allow the limited IAM administrator to manage all IAM users in the account, which in many real-world scenarios is not restrictive enough. If you want to constrain the limited IAM administrator to manage only a specific set of IAM users, you can leverage the path in the IAM user, group, and role ARN. For example, to allow the limited IAM administrator to manage only IAM users under the myproject path, specify the following ARN in the statement’s Resource: arn:aws:iam::AWS-ACCOUNT-ID:user/myproject/*. For more information about paths and IAM identifiers, see IAM Identifiers.
  • The second statement lets the limited IAM administrator attach to and detach from IAM users a specific set of policies. To do this, we use the new iam:PolicyArn condition key in the statement’s Condition element. This specifies that the only two managed policies that may be attached by the limited IAM administrator are the MyProjectS3Access and AmazonDynamoDBFullAccess policies. You can use the statement’s Resource element to restrict the IAM users to whom you can attach the policy. For more information about how to do this, refer to Controlling Permissions for Attaching and Detaching Managed Policies.

Note: Replace AWS-ACCOUNT-ID with your own AWS account ID in all ARNs used in policies and AWS CLI commands that follow.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ManageUsersPermissions",
      "Effect": "Allow",
      "Action": [
        "iam:ChangePasword",
        "iam:CreateAccessKey",
        "iam:CreateLoginProfile",
        "iam:CreateUser",
        "iam:DeleteAccessKey",
        "iam:DeleteLoginProfile",
        "iam:DeleteUser",
        "iam:UpdateAccessKey",
        "iam:ListAttachedUserPolicies",
        "iam:ListPolicies",
        "iam:ListUserPolicies",
        "iam:ListGroups",
        "iam:ListGroupsForUser",
        "iam:GetPolicy",
        "iam:GetAccountSummary"
      ],
      "Resource": "*"
    },
    {
      "Sid": "LimitedAttachmentPermissions",
      "Effect": "Allow",
      "Action": [
        "iam:AttachUserPolicy",
        "iam:DetachUserPolicy"
      ],
      "Resource": "*",
      "Condition": {
        "ArnEquals": {
          "iam:PolicyArn": [
            "arn:aws:iam::AWS-ACCOUNT-ID:policy/MyProjectS3Access",
            "arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess"
          ]
        }
      }
    }
  ]
}

Save the document to your local file system as MyProjectLimitedAdminAccess.json. You will now use it and the AWS CLI to create a customer managed policy.

aws iam create-policy --policy-name MyProjectLimitedAdminAccess --description "Grants limited IAM administrator access to manage developers for my project" --policy-document file://MyProjectLimitedAdminAccess.json

The following is an example of the expected output from this AWS CLI command.

{
    "Policy": {
        "PolicyName": "MyProjectLimitedAdminAccess",
        "CreateDate": "2015-02-22T22:12:15.730Z",
        "AttachmentCount": 0,
        "IsAttachable": true,
        "PolicyId": "ANPAJ2UCCR6DPCEXAMPLE",
        "DefaultVersionId": "v1",
        "Path": "/",
        "Arn": "arn:aws:iam::AWS-ACCOUNT-ID:policy/MyProjectLimitedAdminAccess",
        "UpdateDate": "2015-02-22T22:12:15.730Z"
    }
}

Create the limited IAM administrator by using the AWS CLI

In this section, you will use the AWS CLI to create the limited IAM administrator along with its credentials. You will also assign managed policies to allow the limited IAM administrator to manage the developers for the project. I have omitted the output from the AWS CLI commands for brevity.

  1. Create the limited IAM administrator.

Use the AWS CLI command create-user to create an IAM user with the name myproject-limited-admin.

aws iam create-user --user-name myproject-limited-admin
  1. Create credentials for the limited IAM administrator.

Use the AWS CLI command create-access-key to create an access key for the myproject-limited-admin user.

aws iam create-access-key --user-name myproject-limited-admin

Follow the Quick Configuration instructions from the AWS CLI user guide to create a new AWS CLI named profile, limitedadmin, by using the credentials returned by the call to create-access-key.

  1. Attach managed policies to the limited IAM administrator.

You now have a limited IAM administrator, myproject-limited-admin, but that user needs its limited IAM administrator permissions, which you will attach using the attach-user-policy command. Continuing with our example, we will attach two managed policies to myproject-limited-admin:

  • The customer managed policy, MyProjectLimitedAdminAccess, which was created in the previous section. This policy gives myproject-limited-admin the permission to create and manage IAM users for our project. This includes the ability to create access keys and attach a well-defined set of managed policies to these IAM users.
  • The AWS managed policy, IAMReadOnlyAccess, gives myproject-limited-admin the permissions it needs to manage users better via the IAM console.
aws iam attach-user-policy --user-name myproject-limited-admin --policy-arn arn:aws:iam::AWS-ACCOUNT-ID:policy/MyProjectLimitedAdminAccess
aws iam attach-user-policy --user-name myproject-limited-admin --policy-arn arn:aws:iam::aws:policy/IAMReadOnlyAccess

Create a customer managed policy for S3 access

Now you will create the  MyProjectS3Access policy, which your limited IAM administrator can attach to IAM users.

The following policy document will be used for this policy. Note: Replace EXAMPLE-BUCKET-NAME with the name of your bucket.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetBucketLocation",
        "s3:ListAllMyBuckets"
      ],
      "Resource": "arn:aws:s3:::*"	
    },	
    {
      "Effect": "Allow",
      "Action": ["s3:ListBucket"],
      "Resource": ["arn:aws:s3:::EXAMPLE-BUCKET-NAME"]
    },                                      
    {
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:GetObject",
        "s3:DeleteObject"
      ],
	      "Resource": ["arn:aws:s3:::EXAMPLE-BUCKET-NAME/*"]
    }                                           
  ]
}

Save this policy document in your local file system as MyProjectS3Access.json. You will now use it and the AWS CLI to create a customer managed policy.

aws iam create-policy --policy-name MyProjectS3Access --description "Grants S3 access to bucket used for my project" --policy-document file://MyProjectS3Access.json

The following is an example of the expected output from this AWS CLI command.

{
    "Policy": {
        "PolicyName": "MyProjectS3Access",
        "CreateDate": "2015-02-21T22:12:15.730Z",
        "AttachmentCount": 0,
        "IsAttachable": true,
        "PolicyId": "ANPAJ4AE5446DAEXAMPLE",
        "DefaultVersionId": "v1",
        "Path": "/",
        "Arn": "arn:aws:iam::AWS-ACCOUNT-ID:policy/MyProjectS3Access",
        "UpdateDate": "2015-02-21T22:12:15.730Z"
    }
}

For more information about how to author an IAM S3 policy, see Writing IAM Policies: How to grant access to an Amazon S3 bucket.

Use the limited IAM administrator to manage IAM users and permissions

Now that you have created the limited IAM administrator, myproject-limited-admin, you can use its credentials to manage any IAM users needed for developers on the project. In this section, you will use myproject-limited-admin to create an IAM user, myprojectdev1, with an access key. You will also grant the user access to S3 and DynamoDB resources by attaching two managed policies to the user.

First, create the IAM user along with an access key (the output from these two operations has been omitted).

aws iam --profile limitedadmin create-user --user-name myprojectdev1
aws iam --profile limitedadmin create-access-key --user-name myprojectdev1

Next, attach the managed policies MyProjectS3Access and AmazonDynamoDBFullAccess to this IAM user.

aws iam --profile limitedadmin attach-user-policy --user-name myprojectdev1 --policy-arn arn:aws:iam::AWS-ACCOUNT-ID:policy/MyProjectS3Access
aws iam --profile limitedadmin attach-user-policy --user-name myprojectdev1 --policy-arn arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess

As mentioned before, myproject-limited-admin cannot attach any other policies than the ones we specify in the managed policy MyProjectLimitedAdminAccess. If you attempt to attach a different AWS or customer managed policy using the myproject-limited-admin credentials, you will see an “Access Denied” error.

Managed policies and federation

In many enterprise environments, IAM roles are used to enable access to AWS resources via identity federation. It should be noted that the techniques used in this blog post also can be applied to manage IAM roles that provide access to resources via federation. For more information about how to provide access to AWS resources for users who sign in using a third-party identity provider via IAM roles, see Creating a Role for Third-Party Identity Provider (Federation).

Learn more about managed policies

This blog post has shown how managed policies can allow you to create a limited IAM administrator that is granted a limited set of administrative privileges. For more information about managed policies, visit Managing Policies.

We look forward to hearing how you are using limited IAM administrators and the ways we can improve the functionality. You can post comments below, or visit the IAM forum to post comments and questions about managed policies.

– Mikael