How can I give only specific AWS "iam : putUserPolicy" permissions?

Use case- In our application we need to give iam : putUserPolicy permissions to IAM entities. That is trivial. We can assign the policy mentioned below to the IAM entity to which we want to give iam : putUserPolicy permission- { "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "iam : putUserPolicy" ], "Resource":"*" } ] }

We have another requirement. Let's say we assign putUserPolicy to IAM user U1. This means that now U1 can assign ANY policy to ANY IAM user. The second "ANY" can be avoided by changing "Resource":"*" to "Resource":"user-arn" but how do we deal with the first ANY? Is there a way to give "iam : putUserPolicy" permission such that putting only "iam : CreateUser" permission is allowed? Or perhaps only "iam : CreateUser" is blocked and putting rest all policies is allowed?

I went through the AWS documentation and I found conditions kind of helpful but I could not find any IAM service-specific keys and values though I did find some for EC2 and SNS.

As an example we can assign the following policy: - { "Version":"2012-10-17", "Statement":[{ "Effect":"Allow", "Action":["s3:ListBucket"], "Resource":"*", "Condition":{"StringNotEquals":["s3:prefix":"arn:aws:s3:::BUCKET-NAME/home/"]} } ] }

which gives permissions to all other S3 folders and buckets except the home folder in a particular bucket.

Can we do something like: - ??? { "Version":"2012-10-17", "Statement":[{ "Effect":"Allow", "Action":["iam:PutUserPolicy"], "Resource":"*", "Condition":{"StringNotEquals":["iam:policy-contains":"iam:CreateUser"]} } ] }