I am trying to allow IAM users (OperationsAdmin) within a certain group (OperationsAdmin group) the ability to delete users that have a certain tag (a tag that specifies that admin created the user).
Is this something that is possible to do within Cloudformation? I have tried this but it is not working. Other admin users in other admin groups are able to delete users they should not be able to. Any thoughts on doing this through cloudformation, using yaml?
OperationsUserGroupAdmin:
Type: AWS::IAM::Group
Properties:
GroupName: !Sub OperationsUserGroupAdmin-${StackName}
Path: "/"
Policies:
- PolicyName: !Sub OperationsUserGroupAdminPolicy-${StackName}
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- "iam:AddUserToGroup"
- "iam:RemoveUserFromGroup"
Resource:
- !Sub "arn:aws:iam::*:group/OperationsUserGroup-${StackName}"
- Effect: Allow
Sid: DeleteUser
Action:
- "iam:DeleteUser"
Resource: 'arn:aws:iam::*:user/*'
Condition:
StringEquals:
aws:RequestTag/CreatedBy:
- OperationsAdmin
I was able to find the answer. Basically, I was using the incorrect condition. I should have been using "aws:ResourceTag":
- Effect: Allow
Sid: DeleteUser
Action:
- "iam:DeleteUser"
Resource: 'arn:aws:iam::*:user/*'
Condition:
StringEquals:
aws:ResourceTag/CreatedBy:
- OperationsAdmin