2 Answers
- Newest
- Most votes
- Most comments
4
Try using a Role Trust policy (basically a resource based policy) as below:
{ "Effect": "Deny", "Principal": { "AWS": "*" }, "Action": "sts:AssumeRole", "Condition": { "StringNotEquals": { "aws:PrincipalOrgId": "${aws:ResourceOrgId}" }, "BoolIfExists": { "aws:PrincipalIsAWSService": "false" } } }
And use the same for all the roles as required.
answered 2 years ago
1
This can not be done with a SCP. You have to allow this via the Trust Policy attached the role. Something like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "123456789012"
},
"Action": "sts:AssumeRole",
"Condition": {"StringEquals": {"sts:ExternalId": "12345"}}
}
]
}
This example also uses the ExternalId.
Relevant content
- Accepted Answerasked a year ago
- asked a year ago
- Accepted Answerasked 3 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 9 days ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 3 months ago