AWS re:Postを使用することにより、以下に同意したことになります AWS re:Post 利用規約
AWS re:Postre:Post

Delegate SCP administration of specific OU to IAM role of a member account

0

We have a shared Organization and would like to provide member accounts in an Organization to self manage SCPs on OUs where their accounts are located. We want to know if it is possible to do the following:

  1. An organization has OU-A, OU-B and OU-C etc.
  2. An account in OU-B wants to use IAM-User-B to create an SCP in the Management account and assign to OU-B
  3. IAM-USer-B must be have the ability to create/modify/delete SCPs in Organizations in the Management account, but can ONLY assign the SCP to OU-B.
  4. Any attempt to assign an SCP to OU-A or OU-C will be denied.
  5. Auditing is in place and a notification is triggered of any invalid attempt by IAM-User-B
  6. The same principle must be applied to users in OU-A and OU-C.

Any help is appreciated.

Thanks

トピック
セキュリティ、アイデンティティ、コンプライアンス管理とガバナンス
タグ
セキュリティ、アイデンティティ、コンプライアンスAWS Identity and Access ManagementAWS OrganizationsAWS アカウントマネジメントIAM ポリシー
言語
English
rePost-User-0529671
質問済み 1年前656ビュー
1回答
1

Well, if I understand you correctly, when you assign the policy to the user or role the user assumes (do not use users please, use always temp credentials so assume roles), what you can define on that policy is with resource, so you limit the permissions you grant in the policy to that specific resource, here is the idea:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "organizations:Describe*", 
        "organizations:List*" 
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "organizations:AttachPolicy",
      "Resource": "arn:aws:organizations::<masterAccountId>:ou/o-<organizationId>/ou-<organizationalUnitId>"
    }
  ]
}

As you can see on the Resource line, you can restrict the OU in the resource line, to the attach policy permission. Hope this helps to build the desired policy, here is the documentation:

You can also play with some global conditions and ResourceOrgPaths here: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html

best.

profile pictureAWS
JuanEn_G
回答済み 1年前
  • rePost-User-0529671
    1年前

    Thanks for you r reply @JuanEn_G I can see how that would restrict attachment, but what would they need to allow the IAM role to create/amend/delete SCPs in Organizations?

ログインしていません。 ログイン 回答を投稿する。

優れた回答とは、質問に明確に答え、建設的なフィードバックを提供し、質問者の専門分野におけるスキルの向上を促すものです。

質問に答えるためのガイドライン

関連するコンテンツ