Disable Update Role


Our SSO users are registered by API in a batch we schedule based on ldap attributes.
We don’t want users with ADMIN role to be able to update role users with UI (it should be the responsability of our batch so that roles stay synchronized with ldap).
I tried to attach following policy to the admin federated role but admin user is still able to update role in UI.

“Effect”: “Deny”,
“Action”: [
“Resource”: “*”

Am I wrong in the policy or is there another way to do it?

Thanks for your help.

I might not be the best person to answer this, but can you change your Admin to Authors? Is there a reason to keep them as Admin?

If you change them to Authors they shouldn’t be able to update the roles.

@Max, I’d like to keep them as admin to be able to manage groups & users in groups.

I would look into opening up a case with AWS.

Here are the steps to open a support case. If your company has someone who manages your AWS account, you might not have direct access to AWS Support and will need to raise an internal ticket to your IT team or whomever manages your AWS account. They should be able to open an AWS Support case on your behalf. Hope this helps!