IAM Policy that allows only access to "Switch Role"

Question

Hi,

I am looking for a IAM policy with limited access that would allow a user to sign in to the AWS console. From there the user would only be able to press the button to switch to another role. The user should only be able to "Switch Role" and that's it. Not additional access is needed other than Switch Role.

For example:

[Main AWS Console Account] ----> (press the "Switch Role" button and enter AWS Account ID and Role) ----> [In New AWS Console Role]

The idea is to use the main account as to jump onto other accounts but with limited permissions to the main account.

Answer

Hi

You can create an IAM user with No permissions to the Main AWS account and assign inline policy to switch role to the Destination account.

Here are the steps:

1. Create IAM user in Main account

2. Assign policy to the IAM user in main account

```
{
    "Version": "2012-10-17",
    "Statement": {
        "Effect": "Allow",
        "Action": "sts:AssumeRole",
        "Resource": "arn:aws:iam::XXXXXXXXX:role/switch-role"
    }
}
```

3. User can acess to main account but denied to acess any services because AWS have explicit deny, So The IAM user can switch to the destination account based on the role permissions configured in the destination.

Thanks
GK

IAM Policy that allows only access to "Switch Role"

関連するコンテンツ