- Le plus récent
- Le plus de votes
- La plupart des commentaires
The first recommendation it to add conditions to the trust policy of the role. This limits the principal that can assume it. Further in formation here - https://docs.aws.amazon.com/controltower/latest/userguide/conditions-for-role-trust.html and here - https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html
As for limiting the full authority the approach recommended is to set up a permissions boundary on the role. You can define the maximum permissions of role and even explicitly deny actions such as modifying or deleting logging buckets or even accessing the audit account all together. You would also want to define in the policy that it cannot perform actions in IAM on itself "NotResource:ROLE" and that it cannot edit the Permissions Boundary "NoBoundaryPolicyEdit". Examples of this are linked below.
https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html
Contenus pertinents
- demandé il y a 2 mois
- demandé il y a un an
- demandé il y a 2 mois
- AWS OFFICIELA mis à jour il y a 3 ans
- AWS OFFICIELA mis à jour il y a 4 mois