2 Answers
- Newest
- Most votes
- Most comments
0
I would recommend using IAM Permissions boundaries. They are an extra set of permissions that can be applied that can set max permissions for an IAM entity.
See https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html
0
You can may be attach an SCP at the org level that explicitly prohibits actions that you don't want users and roles in certain accounts to perform.
answered 2 years ago
Relevant content
- asked 10 months ago
- asked 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 5 months ago
You can may be attach an SCP at the org level that explicitly prohibits actions that you don't want users and roles in certain accounts to perform.