2개 답변
- 최신
- 최다 투표
- 가장 많은 댓글
4
Try using a Role Trust policy (basically a resource based policy) as below:
{ "Effect": "Deny", "Principal": { "AWS": "*" }, "Action": "sts:AssumeRole", "Condition": { "StringNotEquals": { "aws:PrincipalOrgId": "${aws:ResourceOrgId}" }, "BoolIfExists": { "aws:PrincipalIsAWSService": "false" } } }
And use the same for all the roles as required.
답변함 일 년 전
1
This can not be done with a SCP. You have to allow this via the Trust Policy attached the role. Something like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "123456789012"
},
"Action": "sts:AssumeRole",
"Condition": {"StringEquals": {"sts:ExternalId": "12345"}}
}
]
}
This example also uses the ExternalId.
관련 콘텐츠
- AWS 공식업데이트됨 2년 전