AWS IAM Policy restrict access to resources based on parent Cloudformation
Question
Under our AWS account, we have multiple products which are each their own Cloudformation Stacks. The entire products stack is Dynamo/Serverless/Cognito.
Recently one of our clients has brought in outside contractors to work on specific products.
Is there a way we can limit their access within our account to all resources deployed under a cloudformation?
I've tried the following by tagging resources under the cloudformation with enviroment (prod/master) & product tags:
{
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*",
"Condition": {
"ForAllValues:StringEquals": {
"aws:ResourceTag/Product": "productName",
"aws:ResourceTag/Environment": "productEnviroment"
}
}
}
]
}
This does not work and seems to give access to everything. Reversing this and denying all but the tagged, then directly applying specific actions doesnt seem to work either.
1 answers
solution1
1 ACCPTED 2021-02-28 23:25:11
You can create Organization Units and add accounts to them which only have access to the resources within those OU's. It's hierarchical, so your root account will have access to everything, so on and so forth.
Organization -> OU1 -> OU2 -> OU3
There, unfortunately, is no CloudFormation for Organizations, but the CLI is pretty straightforward .
If you wanted to automate this, I would do something along the lines of:
- Create Org Unit/s under root/parent OU
- Create Account (created in root)
- Move account from root to OU
- Generate an access key for account / create IAM and generate access key (unfortunately a 'one-off' manual task)
- Use the AWS credentials to deploy the CloudFormation stacks you wish to keep within that org unit
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.