How can I restrict user permissions to list only specific group of users and roles ?

Question

Hello,
I want to create a policy that prohibits a user from listing all other users of an account but is only allowed to list users belonging to a specific group.

For example there are 2 groups: "prod" and "dev"
But when it tries to list all users it is only allowed to see users in the "Dev" group.

Same things for roles : to allow listing a specific roles and not all roles.

Thank you for your help !

Answer

The following documentation shows that Condition keys cannot be set for the policies required to view IAM Roles and IAM Groups.  
In other words, it would be difficult to display them in different environments.  
https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsidentityandaccessmanagementiam.html

It is recommended to set the necessary ARNs in the resource section as it seems possible to narrow down the ARNs in the resource.  
As an example, the following will limit the user and role details to those of the ARN set for the resource.  
```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iam:ListUsers",
                "iam:ListRoles",
                "iam:ListGroups"
            ],
            "Resource": ["*"]
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:GetUser",
                "iam:GetGroup",
                "iam:GetRole"
            ],
            "Resource": ["arn:aws:iam::AWS Account ID:user/IAM User Name",
                         "arn:aws:iam::AWS Account ID:role/IAM Role Name",
                         "arn:aws:iam::AWS Account ID:group/IAM Group Name"
            ]
        }
    ]
}
```

How can I restrict user permissions to list only specific group of users and roles ?

相關內容