AWS ORGANIZATIONS

Question

been working on AWS ORGANIZATIONS..i've my root account(management account) under that i've one vendor account

now in management account i've 2 ec2 instance resource..with switch role from vendor account to management account..i should only see one ec2 instance among that 2 instance that already available in management account.

now how can i apply policies to do this..i tried tag policies to do this which only restrict the vendor to do things..but for my use case i should hide one ec2 instance and show only one ec2 instance by vendor account..how can i do with?

Accepted Answer

You can do that by delegate access across AWS accounts using IAM roles.
Use AWS Mgmt Console to establish trust between the Mgmt and Vendor account. Create a IAM role named e.g. vendorARole. When you create the role, you define the Vendor account as a trusted entity and specify a permission policy that allows trusted users to access only one of the EC2 instance via tagging.

You can see a similar steps for sharing of S3 bucket across account at:

https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html

AWS ORGANIZATIONS

相關內容