Blocking account level write actions
Currently set of admin users can close the account. Trying to come up with a policy to prevent the users from doing it and this is the policy I wrote.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Deny", "Action": [ "account:CloseAccount" ], "Resource": "*" } ] }
Even after the above policy, I am able to see the Close Account action on the web page.
- 最新
- 投票最多
- 评论最多
Hi there, The policy you have mentioned needs a correction.
Instead of
account:CloseAccount
use
organizations:CloseAccount
Then the policy will be as follows
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Deny",
"Action": [
"organizations:CloseAccount",
],
"Resource": "*"
}
]
}
Reference: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_close.html
Hi,
Could you please confirm whether this is working with
"Resource": "*"
and if it is working, please make sure that the account arns you mentioned in resource block is correct.
Hi, I tested these policy with "Resource": "*" and "Resource": [ "arn:aws:organizations::44444444:account/o-/1234567", "arn:aws:organizations::44444444:account/o-/7890534" ] also. I attached this policy under our admin group in mangement account and member account as well. Still, I can see the close account button when I logged in as IAM user in my member account.
Thanks for your reply. However I tried the above one as well as the below policy but I can still click the close account button. { "Version": "2012-10-17", "Statement": [ { "Sid": "PreventCloseAccount", "Effect": "Deny", "Action": "organizations:CloseAccount", "Resource": [ "arn:aws:organizations::44444444:account/o-/1234567", "arn:aws:organizations::44444444:account/o-/7890534" ] } ] }