- Más nuevo
- Más votos
- Más comentarios
Prohibit member accounts to access stackset-exec-*
roles via SCP, with exception for arn:aws:iam::*:role/OrganizationAccountAccessRole
, which shall also be protected via SCP.
See: https://docs.aws.amazon.com/controltower/latest/userguide/mandatory-controls.html#control-update-hotfix . Specifically check "#this line is new" lines.
Hi Martin, just to confirm, you're able to see the CFN stack being deployed when you check the CloudFormation console in the Organizations root account? How about in the Member account?
Also, why do you need to block these roles?
Hey Martin,
It seems like it is a chicken and egg situation where the role is created with that prefix, but its restricted by SCP, and the SCP can't be pre-unrestricted prior to the role being created. I hope I got it :)
Let me check and get back to you on this.
T
Contenido relevante
- OFICIAL DE AWSActualizada hace un año
- OFICIAL DE AWSActualizada hace 3 meses
Hey Thiru, The CFN stackset is in root account, however when stackset is deploying the individual stack instances in member accounts the service role that is created from stackset to deploy the stack doesn't have enough permissions to do all necessary steps. It is restricted from a SCP. My problem is I cannot modify the SCP to unrestrict a role which does not exists before the stackset is deployed and it's name is not in any way specific and also the events this role triggers don't carry any info about the stackset it is part of.