2 Antworten
- Neueste
- Die meisten Stimmen
- Die meisten Kommentare
4
Try using a Role Trust policy (basically a resource based policy) as below:
{ "Effect": "Deny", "Principal": { "AWS": "*" }, "Action": "sts:AssumeRole", "Condition": { "StringNotEquals": { "aws:PrincipalOrgId": "${aws:ResourceOrgId}" }, "BoolIfExists": { "aws:PrincipalIsAWSService": "false" } } }
And use the same for all the roles as required.
beantwortet vor einem Jahr
1
This can not be done with a SCP. You have to allow this via the Trust Policy attached the role. Something like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "123456789012"
},
"Action": "sts:AssumeRole",
"Condition": {"StringEquals": {"sts:ExternalId": "12345"}}
}
]
}
This example also uses the ExternalId.
Relevanter Inhalt
- AWS OFFICIALAktualisiert vor 2 Jahren
- AWS OFFICIALAktualisiert vor 3 Jahren
- AWS OFFICIALAktualisiert vor 2 Jahren