使用AWS re:Post即您表示您同意 AWS re:Post 使用条款
AWS re:Postre:Post

Delegate SCP administration of specific OU to IAM role of a member account

0

We have a shared Organization and would like to provide member accounts in an Organization to self manage SCPs on OUs where their accounts are located. We want to know if it is possible to do the following:

  1. An organization has OU-A, OU-B and OU-C etc.
  2. An account in OU-B wants to use IAM-User-B to create an SCP in the Management account and assign to OU-B
  3. IAM-USer-B must be have the ability to create/modify/delete SCPs in Organizations in the Management account, but can ONLY assign the SCP to OU-B.
  4. Any attempt to assign an SCP to OU-A or OU-C will be denied.
  5. Auditing is in place and a notification is triggered of any invalid attempt by IAM-User-B
  6. The same principle must be applied to users in OU-A and OU-C.

Any help is appreciated.

Thanks

主题
安全、身份和合规性管理与治理
标签
安全、身份和合规性AWS 身份和访问权限管理AWS OrganizationsAWS 账户管理IAM 策略
语言
English
rePost-User-0529671
已提问 1 年前654 查看次数
1 回答
1

Well, if I understand you correctly, when you assign the policy to the user or role the user assumes (do not use users please, use always temp credentials so assume roles), what you can define on that policy is with resource, so you limit the permissions you grant in the policy to that specific resource, here is the idea:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "organizations:Describe*", 
        "organizations:List*" 
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "organizations:AttachPolicy",
      "Resource": "arn:aws:organizations::<masterAccountId>:ou/o-<organizationId>/ou-<organizationalUnitId>"
    }
  ]
}

As you can see on the Resource line, you can restrict the OU in the resource line, to the attach policy permission. Hope this helps to build the desired policy, here is the documentation:

You can also play with some global conditions and ResourceOrgPaths here: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html

best.

profile pictureAWS
JuanEn_G
已回答 1 年前
  • rePost-User-0529671
    1 年前

    Thanks for you r reply @JuanEn_G I can see how that would restrict attachment, but what would they need to allow the IAM role to create/amend/delete SCPs in Organizations?

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则

相关内容