AWS IAM: deny users from creating policies on specific resources

Question

I want to be able to give my admin users the permission to create policies in IAM, but I want to make sure that they aren't able to create a policy that affects a specific resource.

To be more specific, these admin users are currently in a user group with a policy that gives them full S3 access except for a specific S3 bucket (in this case, it's a bucket that contains CloudTrail logs). They are also in another user group that gives them full access to IAM, which means it would be easy enough for them to create/edit this S3 policy to give themselves access to that bucket again. Is there a way to do what I'm trying to do, or perhaps a better way to set this up?

Answer 1

With AWS Organizations you can use Service Control Policies to deny access to services and resources. Considering you have a specific role or users that need access to your bucket you can except them of this deny. The SCP would look something like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DenyCloudtrailBucket",
            "Effect": "Deny",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::mybucket",
                "arn:aws:s3:::mybucket/*"
            ],
            "Condition": {
                "ArnNotLike": {
                    "aws:PrincipalArn": [
                        "arn:aws:iam::*:role/myrole",
                        "arn:aws:iam::*:user/myuser"
                    ]
                }
            }
        }
    ]
}

Here the docs on how to create SCPs: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_create.html