AWS 管理员角色政策

Question

I created a User in AWS Account and attached my user Admin access And I created another user with the same Admin access, But i don't want that user to delete my user. Any Solutions

I want to know how to do it

Answer 1

With IAM policies an explicit deny takes precedence over an allow statement. This means you can add a single deny statement for a specific resource but still access other resources. You should be able to use this mechanic with IAM User permissions ( but you should create a test user to validate this works as expected!!! )

Create a new policy with below contents and add to the user you want to limit access to delete your user

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": ["iam:DeleteUser"],
            "Resource": "arn:aws:iam::000000000000:user/blah"
        }
    ]
}

(change 000000000000 to your aws account number and blah to the user you wish to prevent being deleted).

Depending on your needs there are a bunch of other IAM permissions you might want to deny against this user such as RemoveUserFromGroup (if you use groups). (The easiest way of seeing these is in the IAM Console - create a policy and use the Visual Editor. Select IAM as service, and look at the permissions available under the Write access section).

NOTE: if your using the Create Policy Visual Editor you can switch between the JSON view and graphical view to see the actual policy. If you edit the JSON view the Visual Editor view will be updated and vice-versa. There should be no errors or warnings reported by the Visual Editor when you complete your policy