1回答
- 新しい順
- 投票が多い順
- コメントが多い順
1
Well, if I understand you correctly, when you assign the policy to the user or role the user assumes (do not use users please, use always temp credentials so assume roles), what you can define on that policy is with resource, so you limit the permissions you grant in the policy to that specific resource, here is the idea:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"organizations:Describe*",
"organizations:List*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "organizations:AttachPolicy",
"Resource": "arn:aws:organizations::<masterAccountId>:ou/o-<organizationId>/ou-<organizationalUnitId>"
}
]
}
As you can see on the Resource line, you can restrict the OU in the resource line, to the attach policy permission. Hope this helps to build the desired policy, here is the documentation:
You can also play with some global conditions and ResourceOrgPaths here: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html
best.
回答済み 1年前
関連するコンテンツ
- AWS公式更新しました 2年前
- AWS公式更新しました 7ヶ月前
Thanks for you r reply @JuanEn_G I can see how that would restrict attachment, but what would they need to allow the IAM role to create/amend/delete SCPs in Organizations?