{ "Version": "2012-10-17", "Statement": [ { "Sid": "DenyIAMAdministerResource", "Effect": "Deny", "Action": [ "iam:AcceptDelegationRequest", "iam:AddRoleToInstanceProfile", "iam:AddUserToGroup", "iam:AssociateDelegationRequest", "iam:AttachGroupPolicy", "iam:AttachRolePolicy", "iam:AttachUserPolicy", "iam:ChangePassword", "iam:CreateAccessKey", "iam:CreateAccountAlias", "iam:CreateDelegationRequest", "iam:CreateGroup", "iam:CreateInstanceProfile", "iam:CreateLoginProfile", "iam:CreateOpenIDConnectProvider", "iam:CreatePolicy", "iam:CreatePolicyVersion", "iam:CreateRole", "iam:CreateSAMLProvider", "iam:CreateServiceLinkedRole", "iam:CreateServiceSpecificCredential", "iam:CreateUser", "iam:CreateVirtualMFADevice", "iam:DeactivateMFADevice", "iam:DeleteAccessKey", "iam:DeleteAccountAlias", "iam:DeleteAccountPasswordPolicy", "iam:DeleteCloudFrontPublicKey", "iam:DeleteGroup", "iam:DeleteGroupPolicy", "iam:DeleteInstanceProfile", "iam:DeleteLoginProfile", "iam:DeleteOpenIDConnectProvider", "iam:DeletePolicy", "iam:DeletePolicyVersion", "iam:DeleteRole", "iam:DeleteRolePermissionsBoundary", "iam:DeleteRolePolicy", "iam:DeleteSAMLProvider", "iam:DeleteServerCertificate", "iam:DeleteServiceLinkedRole", "iam:DeleteServiceSpecificCredential", "iam:DeleteSigningCertificate", "iam:DeleteSSHPublicKey", "iam:DeleteUser", "iam:DeleteUserPermissionsBoundary", "iam:DeleteUserPolicy", "iam:DeleteVirtualMFADevice", "iam:DetachGroupPolicy", "iam:DetachRolePolicy", "iam:DetachUserPolicy", "iam:DisableOrganizationsRootCredentialsManagement", "iam:DisableOrganizationsRootSessions", "iam:DisableOutboundWebIdentityFederation", "iam:EnableMFADevice", "iam:EnableOrganizationsRootCredentialsManagement", "iam:EnableOrganizationsRootSessions", "iam:EnableOutboundWebIdentityFederation", "iam:PassRole", "iam:PutGroupPolicy", "iam:PutRolePermissionsBoundary", "iam:PutRolePolicy", "iam:PutUserPermissionsBoundary", "iam:PutUserPolicy", "iam:RejectDelegationRequest", "iam:RemoveClientIDFromOpenIDConnectProvider", "iam:RemoveRoleFromInstanceProfile", "iam:RemoveUserFromGroup", "iam:ResetServiceSpecificCredential", "iam:ResyncMFADevice", "iam:SendDelegationToken", "iam:SetDefaultPolicyVersion", "iam:SetSecurityTokenServicePreferences", "iam:TagInstanceProfile", "iam:TagMFADevice", "iam:TagOpenIDConnectProvider", "iam:TagPolicy", "iam:TagSAMLProvider", "iam:TagServerCertificate", "iam:UntagInstanceProfile", "iam:UntagMFADevice", "iam:UntagOpenIDConnectProvider", "iam:UntagPolicy", "iam:UntagSAMLProvider", "iam:UntagServerCertificate", "iam:UpdateAccessKey", "iam:UpdateAccountEmailAddress", "iam:UpdateAccountName", "iam:UpdateAccountPasswordPolicy", "iam:UpdateAssumeRolePolicy", "iam:UpdateCloudFrontPublicKey", "iam:UpdateGroup", "iam:UpdateLoginProfile", "iam:UpdateOpenIDConnectProviderThumbprint", "iam:UpdateRole", "iam:UpdateRoleDescription", "iam:UpdateSAMLProvider", "iam:UpdateServerCertificate", "iam:UpdateServiceSpecificCredential", "iam:UpdateSigningCertificate", "iam:UpdateSSHPublicKey", "iam:UpdateUser", "iam:UploadCloudFrontPublicKey", "iam:UploadServerCertificate", "iam:UploadSigningCertificate", "iam:UploadSSHPublicKey" ], "Resource": "*" }, { "Sid": "AllowPermissionsGrantedByOtherPolicies", "Effect": "Allow", "Action": "*", "Resource": "*" } ] }