Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

IAM Policy that allows only access to "Switch Role"

0

Hi,

I am looking for a IAM policy with limited access that would allow a user to sign in to the AWS console. From there the user would only be able to press the button to switch to another role. The user should only be able to "Switch Role" and that's it. Not additional access is needed other than Switch Role.

For example:

[Main AWS Console Account] ----> (press the "Switch Role" button and enter AWS Account ID and Role) ----> [In New AWS Console Role]

The idea is to use the main account as to jump onto other accounts but with limited permissions to the main account.

Argomenti
Sicurezza, identità e conformità
Tag
Gestione identità e accesso AWS
Lingua
English
Bicchi
posta 2 anni fa980 visualizzazioni
1 Risposta
2

Hi

You can create an IAM user with No permissions to the Main AWS account and assign inline policy to switch role to the Destination account.

Here are the steps:

  1. Create IAM user in Main account

  2. Assign policy to the IAM user in main account

{
    "Version": "2012-10-17",
    "Statement": {
        "Effect": "Allow",
        "Action": "sts:AssumeRole",
        "Resource": "arn:aws:iam::XXXXXXXXX:role/switch-role"
    }
}
  1. User can acess to main account but denied to acess any services because AWS have explicit deny, So The IAM user can switch to the destination account based on the role permissions configured in the destination.

Thanks GK

profile picture
GK
con risposta 2 anni fa

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente