Under our AWS account, we have multiple products which are each their own Cloudformation Stacks. The entire products stack is Dynamo/Serverless/Cognito.
Recently one of our clients has brought in outside contractors to work on specific products.
Is there a way we can limit their access within our account to all resources deployed under a cloudformation?
I've tried the following by tagging resources under the cloudformation with enviroment (prod/master) & product tags:
{
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*",
"Condition": {
"ForAllValues:StringEquals": {
"aws:ResourceTag/Product": "productName",
"aws:ResourceTag/Environment": "productEnviroment"
}
}
}
]
}
This does not work and seems to give access to everything. Reversing this and denying all but the tagged, then directly applying specific actions doesnt seem to work either.
You can create Organization Units and add accounts to them which only have access to the resources within those OU's. It's hierarchical, so your root account will have access to everything, so on and so forth.
Organization -> OU1 -> OU2 -> OU3
There, unfortunately, is no CloudFormation for Organizations, but the CLI is pretty straightforward .
If you wanted to automate this, I would do something along the lines of:
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.