Adding "CreateServiceSpecificCredential" to IAM user management exceptions

liwadman · web-flow · commit db4a09e7ede5 · 2025-07-09T10:39:56.000-07:00
also requires specific tag or principal to be able to create service specific credentials
diff --git a/Privileged-access-controls/Deny-critical-IAM-user-actions.json b/Privileged-access-controls/Deny-critical-IAM-user-actions.json
@@ -1,23 +1,27 @@
 {
-   "Version":"2012-10-17",
-   "Statement":[
-      {
-         "Effect":"Deny",
-         "Action":[
-            "iam:CreateAccessKey",
-            "iam:CreateUser",
-            "iam:UpdateLoginProfile",
-            "iam:CreateLoginProfile",
-            "iam:DeleteLoginProfile",
-            "iam:UpdateAccountPasswordPolicy",
-            "iam:DeleteAccountPasswordPolicy"
-         ],
-         "Resource":"*",
-         "Condition":{
-            "ArnNotLike":{
-               "aws:PrincipalARN":"arn:aws:iam::${Account}:role/[PRIVILEGED_ROLE]"
-            }
-         }
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Deny",
+      "Action": [
+        "iam:CreateAccessKey",
+        "iam:CreateUser",
+        "iam:UpdateLoginProfile",
+        "iam:CreateLoginProfile",
+        "iam:DeleteLoginProfile",
+        "iam:UpdateAccountPasswordPolicy",
+        "iam:DeleteAccountPasswordPolicy",
+        "iam:CreateServiceSpecificCredential"
+      ],
+      "Resource": "*",
+      "Condition": {
+        "ArnNotLike": {
+          "aws:PrincipalArn": "arn:aws:iam::*:role/[PRIVILEGED_ROLE]"
+        },
+        "StringNotLike": {
+          "aws:PrincipalTag/IAMUserManagementException": "true"
+        }
       }
-   ]
-}
+    }
+  ]
+}
