2 個答案
- 最新
- 最多得票
- 最多評論
4
Try using a Role Trust policy (basically a resource based policy) as below:
{ "Effect": "Deny", "Principal": { "AWS": "*" }, "Action": "sts:AssumeRole", "Condition": { "StringNotEquals": { "aws:PrincipalOrgId": "${aws:ResourceOrgId}" }, "BoolIfExists": { "aws:PrincipalIsAWSService": "false" } } }
And use the same for all the roles as required.
已回答 1 年前
1
This can not be done with a SCP. You have to allow this via the Trust Policy attached the role. Something like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "123456789012"
},
"Action": "sts:AssumeRole",
"Condition": {"StringEquals": {"sts:ExternalId": "12345"}}
}
]
}
This example also uses the ExternalId.
相關內容
- AWS 官方已更新 2 年前