- Newest
- Most votes
- Most comments
The first recommendation it to add conditions to the trust policy of the role. This limits the principal that can assume it. Further in formation here - https://docs.aws.amazon.com/controltower/latest/userguide/conditions-for-role-trust.html and here - https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html
As for limiting the full authority the approach recommended is to set up a permissions boundary on the role. You can define the maximum permissions of role and even explicitly deny actions such as modifying or deleting logging buckets or even accessing the audit account all together. You would also want to define in the policy that it cannot perform actions in IAM on itself "NotResource:ROLE" and that it cannot edit the Permissions Boundary "NoBoundaryPolicyEdit". Examples of this are linked below.
https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html
Relevant content
- Accepted Answerasked a year ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 4 years ago
- AWS OFFICIALUpdated 5 months ago