IAM User Policies

0

Dear All, I am trying to create an IAM user limiting its access to certificates and things generated using this IAM user account without having permission to list all the certificates available on my main root account. I Saw that I can use the tags feature and to add it as a condition in my IAM policy but unfortunately, I found that things cannot hold tags neither certificate. Is there a turn around that I can use to solve this issue or is there anyone who can suggest a different solution ? Best Regards,

已提問 3 個月前檢視次數 257 次
2 個答案
1

Hi Mohamed,

You can ACM certficates; fully detailled here https://docs.aws.amazon.com/acm/latest/userguide/tags.html

Then, you can use those tags to control acess to those certificates via IAM Policies: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_iam-tags.html

Best,

Didier

profile pictureAWS
專家
已回答 3 個月前
profile picture
專家
已審閱 3 個月前
profile picture
專家
已審閱 3 個月前
  • If I already have a generated certificate attached to a thing can I use ACM to add tags ? or ACM certificates differ from actual certificates used by thing in my case ? Best Regards, Mohamed Smaili

0

Hi Mohamed, check these steps to resolve issue:

IAM Policies with Resource ARNs

Create a Certificate Prefix:

Create a unique prefix (e.g., "user-created/") to prepend to all certificate names issued by this IAM user. IAM User Policy:

Define an IAM policy for the user that allows actions only on certificates with the specific prefix. Here's an example policy using the AssumeRoleOnly action for simplicity (adjust actions based on your needs):

JSON
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "sts:AssumeRole",
      "Resource": [
        "arn:aws:iam::<account-id>:role/<role-name>"  # Replace with your role ARN
      ],
      "Condition": {
        "StringLike": {
          "aws:RequestPath": "/user/certs/user-created/*"  # Matches certificates with the prefix
        }
      }
    }
  ]
}

IAM Role Policy:

  • Create a separate IAM role that allows certificate management actions (e.g., iam:GetCertificate, iam:ListCertificates).
  • Attach this role policy to the role referenced in the user policy above.
  • Ensure this role policy restricts access to certificates based on the prefix using the same StringLike condition on aws:RequestPath.

For more please follow the links to help you resolve issue

https://docs.aws.amazon.com/acm/latest/userguide/tags.html

https://docs.aws.amazon.com/acm/latest/userguide/security-iam-awsmanpol.html

https://docs.aws.amazon.com/IAM/latest/UserGuide/access_iam-tags.html

profile picture
專家
Sandeep
已回答 3 個月前
  • Hello @Garre Sandeep, thanks for your help so you suggest to add the prefix to the name of certificate ? and regarding "aws:RequestPath" it should hold path to the certificate ?

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南