1 Answer
- Newest
- Most votes
- Most comments
1
Hi,
The right way to achieve what you want in a multi-account structure is to use the SCPs (Service Control Policies)of AWS Organizations. AWS Orgs is integrated with AWS IIC.
SCP details: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html
Before reading those, you may want to read the foundational paper re. AWS Orgs: https://docs.aws.amazon.com/pdfs/whitepapers/latest/organizing-your-aws-environment/organizing-your-aws-environment.pdf
Best,
Didier
Relevant content
- asked 7 months ago
- Accepted Answerasked 4 months ago
AWS OFFICIALUpdated 5 months ago- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated 2 years ago
Implementing SCPs is at the account level. I actually have the users in Groups that's attached to the different accounts. Maybe to be more clear, currently the developers have administrator access but i want to limit this access using policies as such implementing least privilege.
SCPs are at account level but distributed automatically from master AWS Orgs account.
Even if you users have local admin rights. the proper SCP will limit their rights.
I suggest to https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html
It says "An SCP defines a guardrail, or sets limits, on the actions that the account's administrator can delegate to the IAM users and roles in the affected accounts. The administrator must still attach identity-based or resource-based policies to IAM users or roles, or to the resources in your accounts to actually grant permissions. The effective permissions are the logical intersection between what is allowed by the SCP and what is allowed by the IAM and resource-based policies."
Because of this "intersection", you can downgrade the effective rights to least privilege via a restricitive SCP even if users keep admin rights at account level