Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Organisation resource based policy for delegated admin account principles to limit actions for SCPs based on suborganisation id.

0

Hi, We want to use the delegated administrator for organisation using the resource based delegations policy feature . Our use case is following :

  1. We separate BU. (business units) by OUs in our organisation structure. Now we want a delegated admin account to manage the SCPS(create,delete,update,attach,detach) only. for certain OUs. Here is the example { "Version": "2012-10-17", "Statement": [ { "Sid": “statement1, "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::(delegatedadminaccount):root" }, "Action": "organizations:UpdatePolicy", "Resource": [ "arn:aws:organizations::(managementAccount):policy/o-abcdf42x6c/service_control_policy/p-asza9idi", "arn:aws:organizations::(managementAccount):policy/o-abcdf42x6c/service_control_policy/p-aspwa9idi", "arn:aws:organizations::(managementAccount):policy/o-abcdf42x6c/service_control_policy/p-asad9idi", "arn:aws:organizations::(managementAccount):policy/o-abcdf42x6c/service_control_policy/p-asza9gdi", "arn:aws:organizations::(managementAccount):policy/o-abcdf42x6c/service_control_policy/p-asza9idd”, "arn:aws:organizations::(managementAccount):policy/o-abcdf42x6c/service_control_policy/p-asza9idb”, "arn:aws:organizations::(managementAccount):policy/o-abcdf42x6c/service_control_policy/p-asza9ide” ], "Condition": { "StringNotLike": { "aws:aws:PrincipalARN": [ "arn:aws:iam::(delegatedadminaccount):roleabc/efg/iam_admin" ] } } }, { "Sid": "Statement2", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::(delegatedadminaccount):root" }, "Action": [ "organizations:DescribeOrganization", "organizations:DescribePolicy", "organizations:CreatePolicy", "organizations:DetachPolicy", ], "Resource": "*", "Condition": { "StringEquals": { "aws:PrincipalOrgID": "o-abcdf42x6c" }, "StringNotLike": { "aws:aws:PrincipalARN": [ "arn:aws:iam::(delegatedadminaccount):role/abc/efg/iam_admin" ] }, "StringEqualsIfExists": { "organizations:PolicyType": "SERVICE_CONTROL_POLICY" } } } ] } However , i am not sure how to restrict the delegated admins to OU level ? .
Themen
Management & Unternehmensführung
Tags
AWS Organisationen
Sprache
English
Iknownothing
gefragt vor einem Jahr232 Aufrufe
1 Antwort
0

One option is to apply tags in each Organizational Unit, then in the delegation policy in AWS Organization Delegated Admin feature you can restrict access to the Organization Unit through their Tag in the Condition section of the policy.

https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsorganizations.html#:~:text=aws%3AResourceTag/%24%7BTagKey%7D-,Condition%20keys%20for%20AWS%20Organizations,-AWS%20Organizations%20defines

AWS
vtjean
beantwortet vor einem Jahr

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt