2 Answers
- Newest
- Most votes
- Most comments
0
Hello, Please review the below example of such an SCP policy:
A few highlights:
- Your referenced ARN suggests that you are trying to create an common permission set with AWS IAM Identity Center, and apply the common permission set to multiple accounts that multiple administrators can assume a role into to make administrative changes. Below in the SCP I have replicated such a reference with the AWS Principal ARN list. Note - You can add multiple entries into the list to cover multiple applied SSO permission sets.
- Also notice the "*" within the policy to cover the changing account fields, and the SSO user reference that's appended on the end of the AWSReservedSSO role ARN. Its always best practice to be as explicit as reasonably possible, but I just wanted to highlight the trailing * for your attention to adjust accordingly.
Hope this helps !
{ "Version": "2012-10-17", "Statement": [ { "Sid": "DenyAccessWithException", "Effect": "Deny", "Action": [ "iam:CreateUser", "iam:CreateAccessKey" ], "Resource": [ "*" ], "Condition": { "StringNotLike": { "aws:PrincipalArn": [ "arn:aws:iam::*:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_AWSAdministratorAccess_*" ] } } } ] }
- Lewis
answered a year ago
Relevant content
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 months ago