AWS IAM 策略基于父 Cloudformation 限制对资源的访问

Question

Under our AWS account, we have multiple products which are each their own Cloudformation Stacks. The entire products stack is Dynamo/Serverless/Cognito.

Recently one of our clients has brought in outside contractors to work on specific products.

Is there a way we can limit their access within our account to all resources deployed under a cloudformation?

---

I've tried the following by tagging resources under the cloudformation with enviroment (prod/master) & product tags:

{
  "PolicyDocument": {
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Action": "*",
        "Resource": "*",
        "Condition": {
          "ForAllValues:StringEquals": {
            "aws:ResourceTag/Product": "productName",
            "aws:ResourceTag/Environment": "productEnviroment"
          }
        }
      }
    ]
  }

This does not work and seems to give access to everything. Reversing this and denying all but the tagged, then directly applying specific actions doesnt seem to work either.

Answer 1

You can create Organization Units and add accounts to them which only have access to the resources within those OU's. It's hierarchical, so your root account will have access to everything, so on and so forth.

Organization -> OU1 -> OU2 -> OU3

There, unfortunately, is no CloudFormation for Organizations, but the CLI is pretty straightforward .

If you wanted to automate this, I would do something along the lines of:

1. Create Org Unit/s under root/parent OU
2. Create Account (created in root)
3. Move account from root to OU
4. Generate an access key for account / create IAM and generate access key (unfortunately a 'one-off' manual task)
5. Use the AWS credentials to deploy the CloudFormation stacks you wish to keep within that org unit