- The context: I am Account A. In my master/parent policy that I am given, I will be able to create, update, and delete policies/roles AND other infrastructure resources in Account B.
- The goal: I want to craft this master policy to be able to manage ONLY the resources I have created.
- NOT the problem: trust relationships, external ids, confused deputy, getting access to Account B etc
- IS the problem: I don't know of a way to enforce that all child policies that I create must also have all of the conditions that the parent policy has. Therefore, a child policy could be created which much greater permissions than the parent policy, defeating the purpose of limiting access to only the resources I have created.
- CLARIFYING SCENARIO: I could, in the master/parent policy giving access to Account A, provide the condition that all resources, child policies, child roles, etc in Account B MUST be created with tags and MUST have the tags to be updated or deleted. HOWEVER, while I can create policies that say, have that tag, I do not know of any way to enforce that THOSE child policies must ALSO include the EXACT SAME condition that they too can ONLY create/update/delete tagged resources.
How might parent policy conditions be enforced in all child policies such that nothing created could have greater permissions than the creator? If this doesn't exist, it seems like a massive oversight in permissions management in AWS.
AWS 공식업데이트됨 2년 전
You can may be attach an SCP at the org level that explicitly prohibits actions that you don't want users and roles in certain accounts to perform.