Part 3 – Generating AWS Organizations IAM Policies that are restricted by Service

Simply restrict your lab environment of only the essential services that users need.

The IAM Policy Does the following

  1. Deprovisioning resources becomes a lot much easier when its limited to 1 AWS region
  2. As the Time is specified in UTC, ideally run the command at the start of class and give it no more than the possible amount of time it takes to run the lab. Otherwise it will only give the Users in that group permissions for that particular time. Basically cuts off access and allows for grading at that point.
  3. Of course only allow the services that the students need to have access to.

The Json Output of the command above:


In Powershell, use nested hashtables in addition to the great ConvertTo-Json Feature in Powershell in order to create the IAM Policies


  1. List the Services you want to allow and generate the Allow IAM List
  2. import the list of all iam services and generate the deny IAM List
  3. Run the Generate-AWSIAMOrgPolicy Command and output it to a .txt file for usage


The ConvertTo-Json has a level limitation of 2. Specify it to at least 10 levels and that should more than cover the level of hierarchies in the Json hierarchy

Leave a Reply