From 5fd53dc269a0a7174a3d2d669870399f7af6fbb5 Mon Sep 17 00:00:00 2001
From: Cody Wood <cody.wood@toyota.com>
Date: Wed, 9 Jun 2021 21:11:48 -0600
Subject: [PATCH 1/2] 
 https://github.com/aws-samples/aws-iam-permissions-guardrails/issues/42

---
 guardrails/iam/SCP-IAM-6.json | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)
 create mode 100644 guardrails/iam/SCP-IAM-6.json

diff --git a/guardrails/iam/SCP-IAM-6.json b/guardrails/iam/SCP-IAM-6.json
new file mode 100644
index 0000000..2a0d1d7
--- /dev/null
+++ b/guardrails/iam/SCP-IAM-6.json
@@ -0,0 +1,28 @@
+{
+    "Identifier": "SCP-IAM-6",
+    "Guardrail": "Prevent Creation of New IAM Users or Access Keys",
+    "Rationale": [
+        "Restrict creation of any new IAM users access keys to prohibit bypass of SSO and other controls"
+    ], 
+    "Test Scenarios": [
+        {
+            "Test-Scenario": "Create new user",
+            "Steps": [
+                "Log in to the AWS console with a role that is allowed to call CreateUser and/or CreateAccessKey", 
+                "Create a new user",
+                "Create an access key for that user"
+            ],
+            "Expected-Result": "Access Denied"
+        }
+    ],
+    "References": [
+        "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html"
+    ],
+    "Policy-Type": "SCP",
+    "SCP-Type": "Prevent-All",
+    "IAM Actions": [
+        "iam:CreateUser",
+        "iam:CreateAccessKey"
+    ],
+    "Resource": ["*"]
+}
\ No newline at end of file

From 4e317577e4899d667c07bf57f3b688ba6170fcd5 Mon Sep 17 00:00:00 2001
From: Cody Wood <cody.wood@toyota.com>
Date: Tue, 15 Jun 2021 07:56:23 -0600
Subject: [PATCH 2/2] Converted to Prevent-All-Except

---
 guardrails/iam/SCP-IAM-6.json | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/guardrails/iam/SCP-IAM-6.json b/guardrails/iam/SCP-IAM-6.json
index 2a0d1d7..51c6a44 100644
--- a/guardrails/iam/SCP-IAM-6.json
+++ b/guardrails/iam/SCP-IAM-6.json
@@ -19,10 +19,20 @@
         "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html"
     ],
     "Policy-Type": "SCP",
-    "SCP-Type": "Prevent-All",
+    "SCP-Type": "Prevent-All-Except",
     "IAM Actions": [
         "iam:CreateUser",
         "iam:CreateAccessKey"
     ],
-    "Resource": ["*"]
+    "Resource": ["*"],
+    "Condition": [
+        {
+            "ArnNotLike": {
+                "aws:PrincipalArn": [
+                   "arn:aws:iam::*:role/[IAM_ADMINISTRATOR_ROLE]"
+                ]
+             }
+        }
+    ],
+    "Category": "Strongly recommended"
 }
\ No newline at end of file