Al usar AWS re:Post, aceptas las AWS re:Post Términos de uso
AWS re:Postre:Post

Organisation resource based policy for delegated admin account principles to limit actions for SCPs based on suborganisation id.

0

Hi, We want to use the delegated administrator for organisation using the resource based delegations policy feature . Our use case is following :

  1. We separate BU. (business units) by OUs in our organisation structure. Now we want a delegated admin account to manage the SCPS(create,delete,update,attach,detach) only. for certain OUs. Here is the example { "Version": "2012-10-17", "Statement": [ { "Sid": “statement1, "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::(delegatedadminaccount):root" }, "Action": "organizations:UpdatePolicy", "Resource": [ "arn:aws:organizations::(managementAccount):policy/o-abcdf42x6c/service_control_policy/p-asza9idi", "arn:aws:organizations::(managementAccount):policy/o-abcdf42x6c/service_control_policy/p-aspwa9idi", "arn:aws:organizations::(managementAccount):policy/o-abcdf42x6c/service_control_policy/p-asad9idi", "arn:aws:organizations::(managementAccount):policy/o-abcdf42x6c/service_control_policy/p-asza9gdi", "arn:aws:organizations::(managementAccount):policy/o-abcdf42x6c/service_control_policy/p-asza9idd”, "arn:aws:organizations::(managementAccount):policy/o-abcdf42x6c/service_control_policy/p-asza9idb”, "arn:aws:organizations::(managementAccount):policy/o-abcdf42x6c/service_control_policy/p-asza9ide” ], "Condition": { "StringNotLike": { "aws:aws:PrincipalARN": [ "arn:aws:iam::(delegatedadminaccount):roleabc/efg/iam_admin" ] } } }, { "Sid": "Statement2", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::(delegatedadminaccount):root" }, "Action": [ "organizations:DescribeOrganization", "organizations:DescribePolicy", "organizations:CreatePolicy", "organizations:DetachPolicy", ], "Resource": "*", "Condition": { "StringEquals": { "aws:PrincipalOrgID": "o-abcdf42x6c" }, "StringNotLike": { "aws:aws:PrincipalARN": [ "arn:aws:iam::(delegatedadminaccount):role/abc/efg/iam_admin" ] }, "StringEqualsIfExists": { "organizations:PolicyType": "SERVICE_CONTROL_POLICY" } } } ] } However , i am not sure how to restrict the delegated admins to OU level ? .
Temas
Gestión y gobierno
Etiquetas
AWS Organizations
Idioma
English
Iknownothing
preguntada hace un año234 visualizaciones
1 Respuesta
0

One option is to apply tags in each Organizational Unit, then in the delegation policy in AWS Organization Delegated Admin feature you can restrict access to the Organization Unit through their Tag in the Condition section of the policy.

https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsorganizations.html#:~:text=aws%3AResourceTag/%24%7BTagKey%7D-,Condition%20keys%20for%20AWS%20Organizations,-AWS%20Organizations%20defines

AWS
vtjean
respondido hace un año

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas

Contenido relevante