Questions tagged with AWS Account Management

Content language: English

Sort by most recent

Browse through the questions and answers listed below or filter and sort to narrow down your results.

How to create parent policy that limits permissions of child policies it creates

- The context: I am Account A. In my master/parent policy that I am given, I will be able to create, update, and delete policies/roles AND other infrastructure resources in Account B. - The goal: I want to craft this master policy to be able to manage ONLY the resources I have created. - NOT the problem: trust relationships, external ids, confused deputy, getting access to Account B etc - IS the problem: I don't know of a way to enforce that all child policies that I create must also have all of the conditions that the parent policy has. Therefore, a child policy could be created which much greater permissions than the parent policy, defeating the purpose of limiting access to only the resources I have created. - CLARIFYING SCENARIO: I could, in the master/parent policy giving access to Account A, provide the condition that all resources, child policies, child roles, etc in Account B MUST be created with tags and MUST have the tags to be updated or deleted. HOWEVER, while I can create policies that say, have that tag, I do not know of any way to enforce that THOSE child policies must ALSO include the EXACT SAME condition that they too can ONLY create/update/delete tagged resources. How might parent policy conditions be enforced in all child policies such that nothing created could have greater permissions than the creator? If this doesn't exist, it seems like a massive oversight in permissions management in AWS.
asked 2 months ago