Restricting user access to AWS resources within an account

0

We have 2 AWS accounts prod and non-prod. Currently there are 2 teams using the non-prod accounts. Team A owns Workload A and Team B owns workload B. What options do we have to restrict Team B from accessing/updating resources provisioned /owned by Team A and vice versa. We know we can isolate by creating separate non-prod accounts for team A and B but what other options are available to restrict access. A good example if Team A owns an S3 bucket then it is fine for Team B to be able to view the S3 bucket but not have privileges to read/update contents.

질문됨 2년 전373회 조회
2개 답변
0

There are multiple ways to define access to resources within AWS. For instance, permissions for Amazon S3 objects can be configured using a combination of S3 bucket policies, user policies and object ACLs to achieve a complex mix of different access permissions in the same bucket. Please review 'Policies and Permissions within IAM' - https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html & 'Identity and access management in Amazon S3' - https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-access-control.html for more details.

AWS
Kash
답변함 2년 전
0

ABAC - Attribute Based Access Control may also be used here. In ABAC, you tag the resources and allow only IAM users with specific tag to access that resource. For example, you can map Workload A with a tag called "CreatedBy: Team A" and then have the same tag mapped to IAM users of Team A; then only Team A can access Workload A.

Please refer the following documentation for further details https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction_attribute-based-access-control.html

GaneshV
답변함 2년 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠