Which solution will meet these requirements?
Create an IAM policy that denies the iam:CreateUser action. Attach the IAM policy to the Research Administrator permission set.
Create an IAM policy that allows all actions except the iam:CreateUser action. Use the IAM policy to set the permissions boundary for the Research Administrator permission set.
Create an SCP that denies the iam:CreateUser action. Attach the SCP to the research team’s AWS account.
Create an AWS Lambda function that deletes IAM users. Create an Amazon EventBridge rule that detects the IAM CreateUser event. Configure the rule to invoke the Lambda function.
Explanations:
The AdministratorAccess policy provides full administrative access, and creating IAM users is allowed by default. Denying the iamaction would prevent the research team from managing users, which contradicts the requirement of full resource management.
Setting a permissions boundary only limits the permissions that are granted by the permission set, not the permissions already granted by the AdministratorAccess policy. The IAM policy allowing all actions except iamwould not work as intended, as the AdministratorAccess policy supersedes it.
Service Control Policies (SCPs) can be used to apply permission restrictions at the account or organizational unit level. Denying the iamaction in an SCP applied to the research team’s AWS account would effectively prevent them from creating IAM users, while still allowing full resource management.
Creating a Lambda function to delete IAM users is an inefficient and reactive solution. It does not prevent the creation of IAM users, but only removes them after they are created. This is not a proactive way to meet the requirement of restricting IAM user creation.
I opine that the answer is:
Create an SCP that denies the iam:CreateUser action. Attach the SCP to the research team’s AWS account.