iam-policies.yaml

- sid: "DenyIAMCreatingUsers"
  effect: "Deny"
  actions:
    - "iam:CreateUser"
    - "iam:CreateAccessKey"
  resources:
    - "*"

- sid: "DenyIAMRolesChanges"
  effect: "Deny"
  actions:
    - "iam:AttachRolePolicy"
    - "iam:DeleteRole"
    - "iam:DeleteRolePermissionsBoundary"
    - "iam:DeleteRolePolicy"
    - "iam:DetachRolePolicy"
    - "iam:PutRolePermissionsBoundary"
    - "iam:PutRolePolicy"
    - "iam:UpdateAssumeRolePolicy"
    - "iam:UpdateRole"
    - "iam:UpdateRoleDescription"
  resources:
    - "*"

- sid: "DenyIAMNoMFA"
  effect: "Deny"
  not_actions:
    - "iam:CreateVirtualMFADevice"
    - "iam:EnableMFADevice"
    - "iam:GetUser"
    - "iam:ListMFADevices"
    - "iam:ListVirtualMFADevices"
    - "iam:ResyncMFADevice"
    - "sts:GetSessionToken"
  condition:
    - test: "BoolIfExists"
      variable: "aws:MultiFactorAuthPresent"
      values:
        - false
  resources:
    - "*"

- sid: "DenyIAMRootAccount"
  effect: "Deny"
  actions:
    - "*"
  condition:
    - test: "StringLike"
      variable: "aws:PrincipalArn"
      values:
        - "arn:aws:iam::*:root"
  resources:
    - "*"