I have a user, let's call him ADMIN, now I want to give him IAM policy to create users, and s3 read write access to specific buckets and nothing else.
Now the most important part of this problem is that I want to limit this scope in such a way that only the ADMIN can create users and not the users themselves.
For example, Admin creates user 1,user 2, user 3, now these users cannot create users themselves, like user 1 should not be able to create a user 4 or so. Also these users1,2,3 should only have read write access to particular s3 buckets just as the admin and nothing else.
How do I achieve this?
With IAM Policies you can specify what actions can or cannot be taken by a given entity. In this case you can attach IAM Policies to an IAM Role or an IAM User like Admin and give this entity the rights to create IAM Users and to read/write to S3.
While you cannot specify explicitly which actions the users created by the Admin role will take from its policy document, you could limit which IAM Policies the Admin user can attach to users.
To do so you could create a custom IAM Policy that gives permissions to only read/write from a specific S3 and then allow the Admin role to be able attach only that specific IAM Policy and nothing else.
You can read more about these kind of actions and conditions in the IAM Documentation.