Create an administrator-like profile/role outside the management account

Question

I have multiple accounts in Organizations and wanted a way to manage them securely. I want to create a user or give my user permission as if they were an administrator (in this multiple accounts), so I don't have to use the management account. What's the best way to do this?

I saw that I can use permission boundaries, but I didn't find examples of how it would be applied to an administrator-like user or how I can write a policy and permission boundaries in this case for an administrator.
Besides that, would any other action be recommended? Any blockage on the management account?
Thanks!

Answer

Hello.

If you are using Organizations, you can use SCP to restrict operations.  
You might be able to accomplish what you want using this.  
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html

Answer

You might want to also check out delegated administration. Delegated administration provides a convenient way for assigned users in a registered member account to perform most IAM Identity Center administrative tasks. More here: https://docs.aws.amazon.com/singlesignon/latest/userguide/delegated-admin.html

Create an administrator-like profile/role outside the management account

相关内容