1 回答
- 最新
- 投票最多
- 评论最多
1
Well, if I understand you correctly, when you assign the policy to the user or role the user assumes (do not use users please, use always temp credentials so assume roles), what you can define on that policy is with resource, so you limit the permissions you grant in the policy to that specific resource, here is the idea:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"organizations:Describe*",
"organizations:List*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "organizations:AttachPolicy",
"Resource": "arn:aws:organizations::<masterAccountId>:ou/o-<organizationId>/ou-<organizationalUnitId>"
}
]
}
As you can see on the Resource line, you can restrict the OU in the resource line, to the attach policy permission. Hope this helps to build the desired policy, here is the documentation:
You can also play with some global conditions and ResourceOrgPaths here: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html
best.
已回答 1 年前
相关内容
- AWS 官方已更新 3 年前
- AWS 官方已更新 7 个月前
- AWS 官方已更新 2 年前
Thanks for you r reply @JuanEn_G I can see how that would restrict attachment, but what would they need to allow the IAM role to create/amend/delete SCPs in Organizations?