How to grant limited IAM permissions to create users and roles?
Is there any way to allow for an IAM Admin for all "security accounts" without having to make that user "full admin"? it doesn't seem to be working any other way, and we are trying to stay compliant. For example, we want to provide the ability to create and edit AWS users for only the Development Account, but we don't necessarily want to grant full access (such as to production). --- <ins datetime="2022-05-17T20:04:40Z"> <p><a href="https://support.gruntwork.io/hc/requests/108620">Tracked in ticket #108620</a></p> </ins>
The typical way to handle this is by using [AWS Permission Boundaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html). You can define a permission boundary that has a policy to only allow assuming the dev account roles. You can then modify the dev account admin users to have the `iam:CreateUser` permission but with the permission boundary condition. When you set that, the dev account admin users can only grant at most the ability to assume the dev account roles to the IAM entities that it creates.