2 個答案
- 最新
- 最多得票
- 最多評論
0
Hello, Please review the below example of such an SCP policy:
A few highlights:
- Your referenced ARN suggests that you are trying to create an common permission set with AWS IAM Identity Center, and apply the common permission set to multiple accounts that multiple administrators can assume a role into to make administrative changes. Below in the SCP I have replicated such a reference with the AWS Principal ARN list. Note - You can add multiple entries into the list to cover multiple applied SSO permission sets.
- Also notice the "*" within the policy to cover the changing account fields, and the SSO user reference that's appended on the end of the AWSReservedSSO role ARN. Its always best practice to be as explicit as reasonably possible, but I just wanted to highlight the trailing * for your attention to adjust accordingly.
Hope this helps !
{ "Version": "2012-10-17", "Statement": [ { "Sid": "DenyAccessWithException", "Effect": "Deny", "Action": [ "iam:CreateUser", "iam:CreateAccessKey" ], "Resource": [ "*" ], "Condition": { "StringNotLike": { "aws:PrincipalArn": [ "arn:aws:iam::*:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_AWSAdministratorAccess_*" ] } } } ] }
- Lewis
已回答 1 年前
相關內容
- 已提問 6 個月前
AWS 官方已更新 7 個月前