0

IAM has a limit of 10 policies per group and this is not adjustable according to Service Quotas. I have users that need to use 20 policies. Since the policy limit is 10 per group I created a custom policy combining all of them but halfway through I get this error,

"Your policy character exceeds the non-whitespace character limit of 6,144."

According to Service Quotas, this is also non-adjustable. How do I get around this? I do not want to make these users full admins or power users.

Edit: I should add that I am configuring the permissions this way to meet the control IAM.2 for CIS AWS Foundations Benchmark v1.4.0, NIST SP 8000-53 Rev. 5 and PCI DSS, which states that IAM users should not have IAM policies attached.

tykom
  • 35
  • 9
  • 1
    Reduce the scope of an IAM group and assign individual IAM users to multiple IAM groups? Also, see [How can I increase the default managed policies or character size limit for an IAM role or user?](https://www.youtube.com/watch?v=7MiGIvgtUyE) – jarmod Apr 10 '23 at 16:04
  • I think I'm just going to have to disable the Security Hub control and add the policies directly to the users as that seems to be the only way to consolidate them in one place – tykom Apr 10 '23 at 16:58
  • 1
    Ugh, always take those "standards" with a grain of salt. There is no security risk in having policies attached to Users or Roles. In some situations, using Groups *may* improve maintainability; in other situations, it actually impairs maintainability because you're introducing additional resources that serve no useful purpose. – user3553031 Apr 10 '23 at 17:33

1 Answers1

0

You could create multiple Roles and allow your users to assume them.

So you could create a separate Role for every task, each with the specific policies attached to it.

wiomoc
  • 1,069
  • 10
  • 17