AWS re:Post을(를) 사용하면 다음에 동의하게 됩니다. AWS re:Post 이용 약관
AWS re:Postre:Post

Delegate SCP administration of specific OU to IAM role of a member account

0

We have a shared Organization and would like to provide member accounts in an Organization to self manage SCPs on OUs where their accounts are located. We want to know if it is possible to do the following:

  1. An organization has OU-A, OU-B and OU-C etc.
  2. An account in OU-B wants to use IAM-User-B to create an SCP in the Management account and assign to OU-B
  3. IAM-USer-B must be have the ability to create/modify/delete SCPs in Organizations in the Management account, but can ONLY assign the SCP to OU-B.
  4. Any attempt to assign an SCP to OU-A or OU-C will be denied.
  5. Auditing is in place and a notification is triggered of any invalid attempt by IAM-User-B
  6. The same principle must be applied to users in OU-A and OU-C.

Any help is appreciated.

Thanks

주제
보안, 신원 및 규정 준수관리 및 거버넌스
태그
보안, 신원 및 규정 준수AWS 자격 증명 및 액세스 관리AWS 조직AWS 계정 관리IAM 정책
언어
English
rePost-User-0529671
질문됨 일 년 전649회 조회
1개 답변
1

Well, if I understand you correctly, when you assign the policy to the user or role the user assumes (do not use users please, use always temp credentials so assume roles), what you can define on that policy is with resource, so you limit the permissions you grant in the policy to that specific resource, here is the idea:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "organizations:Describe*", 
        "organizations:List*" 
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "organizations:AttachPolicy",
      "Resource": "arn:aws:organizations::<masterAccountId>:ou/o-<organizationId>/ou-<organizationalUnitId>"
    }
  ]
}

As you can see on the Resource line, you can restrict the OU in the resource line, to the attach policy permission. Hope this helps to build the desired policy, here is the documentation:

You can also play with some global conditions and ResourceOrgPaths here: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html

best.

profile pictureAWS
JuanEn_G
답변함 일 년 전
  • rePost-User-0529671
    일 년 전

    Thanks for you r reply @JuanEn_G I can see how that would restrict attachment, but what would they need to allow the IAM role to create/amend/delete SCPs in Organizations?

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠