"Allow", "NotAction": [ "iam:*", "organizations:*", "account:*" ], "Resource": "*", "Condition": { "StringEquals": { "aws:RequestedRegion": "ap-northeast-1" } } }, { "Sid": "PowerUserAccessLimitedIAM", "Effect": "Allow", "Action": [ "account:GetAccountInformation", "account:GetPrimaryEmail", "account:ListRegions", "iam:CreateServiceLinkedRole", "iam:DeleteServiceLinkedRole", "iam:ListRoles", "organizations:DescribeEffectivePolicy", "organizations:DescribeOrganization" ], "Resource": "*" }, { "Sid": "IAMUserManagement", "Effect": "Allow", "Action": [ "iam:CreateUser", "iam:DeleteUser", "iam:GetUser", "iam:ListUsers", "iam:TagUser", "iam:UntagUser", "iam:ListUserTags", "iam:CreateLoginProfile", "iam:UpdateLoginProfile", "iam:DeleteLoginProfile", "iam:GetLoginProfile", "iam:ListAccessKeys", "iam:DeleteAccessKey", "iam:UpdateAccessKey", "iam:ListAttachedUserPolicies", "iam:ListUserPolicies", "iam:DeleteUserPolicy", "iam:ListGroupsForUser" ], "Resource": "*" }, { "Sid": "IAMGroupManagement", "Effect": "Allow", "Action": [ "iam:CreateGroup", "iam:DeleteGroup", "iam:GetGroup", "iam:ListGroups", "iam:AddUserToGroup", "iam:RemoveUserFromGroup", "iam:AttachGroupPolicy", "iam:DetachGroupPolicy", "iam:ListAttachedGroupPolicies", "iam:ListGroupPolicies" ], "Resource": "*" }, { "Sid": "ChangeOwnPassword", "Effect": "Allow", "Action": [ "iam:ChangePassword", "iam:GetUser" ], "Resource": "arn:aws:iam::*:user/${aws:username}" }, { "Sid": "SSMPassRole", "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::*:role/SSM-Automation-ExecutionRole" } ] } 【実現したベストプラクティス】 1. 最小権限の原則 - NotActionでIAM/Organizations/Accountの完全な権限を除外 - リージョン制限(ap-northeast-1のみ)を実装 - サービスリンクロールのみ作成可能に制限 2. リージョン制限の適切な適用 - aws:RequestedRegion条件で東京リージョンに限定 - コスト管理とコンプライアンス要件に対応 3. 自己パスワード変更の許可 - ${aws:username}変数で本人のみに制限 - セキュリティ運用の基本 JSONファイル