- Newest
- Most votes
- Most comments
This can not be done with a SCP. You have to allow this via the Trust Policy attached the role. Something like this:
{
"Effect": "Deny",
"Principal": { "AWS": "*" },
"Action": "sts:AssumeRole",
"Condition": {
"StringNotEquals": {
"aws:PrincipalOrgId": "${aws:ResourceOrgId}"
},
"BoolIfExists": {
"aws:PrincipalIsAWSService": "false"
}
}
}
And use the same for all the roles as required.
SCP are used to restrict the access within the org only. after using above trust policy you can restrict that unintended person cannot modify the role trust policy using SCP.
An SCP (Service Control Policy) can only control access to AWS services and actions, but it cannot control the ability to assume roles. Therefore, you cannot use an SCP to block role assumption attempts from outside the AWS organization.
However, you can use an IAM policy to restrict role assumption to a specific set of trusted entities, such as specific AWS accounts or specific IAM users/groups/roles. Here's an example IAM policy that allows role assumption only by specific AWS accounts:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:root",
"arn:aws:iam::234567890123:root"
]
},
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::ACCOUNT-ID-WITH-ROLE:role/ROLE-NAME"
}
]
}
Replace ACCOUNT-ID-WITH-ROLE with the AWS account ID that contains the role that you want to restrict, and replace ROLE-NAME with the name of the role that you want to restrict. Also, replace the Principal element with the AWS accounts that are allowed to assume the role.
Note that this policy only restricts role assumption to specific AWS accounts, but it does not prevent someone with valid credentials in those AWS accounts from assuming the role from outside the AWS organization.
Relevant content
- Accepted Answerasked 6 months ago
- asked a year ago
- AWS OFFICIALUpdated 8 days ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated 17 days ago
I'm confused - isn't role assumption an action? Why wouldn't this SCP prevent role assumption outside of the given org id?