1 Answer
- Newest
- Most votes
- Most comments
1
but i noticed that even after denying all iam action for this user other users are able to add this user in other groups.
When you add an user to a specific group, you call AddUserToGroup
action internally. However, this documentation indicates that the action AddUserToGroup
operates on group resource, not user.
Therefore the statement you provided can prevent all users from being added to the Admin
group, but you cannot prevent any user (includes dev-admin
) from being added to any other group.
answered a year ago
Relevant content
- asked a year ago
- Accepted Answerasked 2 months ago
- AWS OFFICIALUpdated 4 years ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 3 months ago
well tried that too and changed the stuff littile bit but still its not working... { "Sid": "dontAddinAnyGroup", "Effect": "Deny", "Action": "iam:AddUserToGroup", "Resource": "", "Condition": { "ArnLike": { "aws:PrincipalArn": "arn:aws:iam:::user/dev-admin" } } }
No, this statement won't work either. The
Condition
element withaws:PrincipalArn
controls which principal (role, user) will be denied to invoke the actionAddUserToGroup
, not which target user will be prevented from being added to the group.This statement will forbid
dev-admin
user to add any user to any group, but other users with this policy can still adddev-admin
to any group.If you want to protect
dev-admin
user from being modified, you should deny user or group administration actions unconditionally, e.g.,okay thank you so much :)