Service Control Policies: Prevent IAM Changes to a Specified IAM Role with the Exception of that Role

My Saved Presets

This SCP restricts IAM principals in accounts from making changes to an IAM role created in an AWS account except if the change was being done by that specified role (This could be a common administrative IAM role created in all accounts in your organization).

See Related Configuration Items for a Configuration Package to deploy multiple SCPs to an AWS Account.

Configuration template includes a CloudFormation custom resource to deploy into an AWS account.

Missing Parameters

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "iam:AttachRolePolicy",
                "iam:DeleteRole",
                "iam:DeleteRolePermissionsBoundary",
                "iam:DeleteRolePolicy",
                "iam:DetachRolePolicy",
                "iam:PutRolePermissionsBoundary",
                "iam:PutRolePolicy",
                "iam:UpdateAssumeRolePolicy",
                "iam:UpdateRole",
                "iam:UpdateRoleDescription"
            ],
            "Resource": [
                "arn:aws:iam::*:role/"
            ],
            "Effect": "Deny",
            "Condition": {
                "StringNotEquals": {
                    "aws:PrincipalARN": "arn:aws:iam::*:role/"
                }
            }
        }
    ]
}

* Required field

Loading Library ...

Prevent IAM Changes to a Specified IAM Role with the Exception of that Role

Actions

Customize Template

Policy Parameters