En utilisant AWS re:Post, vous acceptez les AWS re:Post Conditions d’utilisation
AWS re:Postre:Post

IAM Policy that allows only access to "Switch Role"

0

Hi,

I am looking for a IAM policy with limited access that would allow a user to sign in to the AWS console. From there the user would only be able to press the button to switch to another role. The user should only be able to "Switch Role" and that's it. Not additional access is needed other than Switch Role.

For example:

[Main AWS Console Account] ----> (press the "Switch Role" button and enter AWS Account ID and Role) ----> [In New AWS Console Role]

The idea is to use the main account as to jump onto other accounts but with limited permissions to the main account.

Sujets
Sécurité, identité et conformité
Balises
Gestion des identités et des accès AWS
Langue
English
Bicchi
demandé il y a 2 ans972 vues
1 réponse
2

Hi

You can create an IAM user with No permissions to the Main AWS account and assign inline policy to switch role to the Destination account.

Here are the steps:

  1. Create IAM user in Main account

  2. Assign policy to the IAM user in main account

{
    "Version": "2012-10-17",
    "Statement": {
        "Effect": "Allow",
        "Action": "sts:AssumeRole",
        "Resource": "arn:aws:iam::XXXXXXXXX:role/switch-role"
    }
}
  1. User can acess to main account but denied to acess any services because AWS have explicit deny, So The IAM user can switch to the destination account based on the role permissions configured in the destination.

Thanks GK

profile picture
GK
répondu il y a 2 ans

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Instructions pour répondre aux questions

Contenus pertinents