cross account per VPC access
Question
All developers and testers are in the development account(account d). the production and testing environments are another account (account x) however in two different VPC's - VPC-P and VPC-T. How do I limit access to testers into the VPC-P while developers enjoying Access to VPC-P only. There are also other VPC's in Account X. And developers/testers need not have access to other stuff in the Account X.
1 answers
solution1
0 2019-02-01 01:14:32
It appears your situation is:
Account-D contains:
- IAM Users for developers and testers
Account-X contains:
- VPC-P
- VPC-T
You want to allow 'testers' in Account-D to modify the settings on VPC-T.
You want to allow 'developers' in Account-D to modify the settings on VPC-P.
This does not appear to be possible. According to Actions, Resources, and Condition Keys for Amazon EC2 - AWS Identity and Access Management , only some actions can accept a VPC as a condition, such as:
-
ec2:CreateVpcPeeringConnection -
ec2:CreateNetworkInterfacePermission -
ec2:CreateRoute
Commands like CreateSubnet and DeleteSubnet do not allow any conditions.
Therefore, it would not be possible to restrict many VPC-related permissions to operate only on a specific VPC.
Given that you are dealing with testers and developers, I would recommend using separate AWS Accounts for each environment . Have one Account for Developers, where IAM Users and VPCs are defined. Have a separate AWS Account for Testers to ensure that they have no access into the Developers account. This creates a clean separation of environments.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.