1 Answer
- Newest
- Most votes
- Most comments
2
Hello,
The PowerUser will have access to every service except for some permissions regarding the IAM service. As you can see, you are trying to perform an action on the IAM service iam:ListInstanceProfiles. The Power User does not have access to the IAM API actions because managing users is the most powerful tool in AWS. The reason why managing users is so powerful is that if somebody has full access to the IAM service, that identity can grant himself or other users any permission that that identity wants.
PowerUserAccess = Admin Acess - IAM
answered 5 months ago
Relevant content
- asked 7 months ago
- asked 4 years ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
Thank you so much, this makes perfect sense! What is the best-practice for allowing those who need to assign necessary IAM roles to EC2 instances/other objects to do so without allowing them full access to all IAM actions? Do I just need to make a custom policy that allows iam:PassRole for the relevant IAM role(s)?