Ends in
00
days
00
hrs
00
mins
00
secs
SHOP NOW

🚀 25% OFF ALL Reviewers plus eBooks as LOW as 2.99 USD only!

Find answers, ask questions, and connect with our
community around the world.

Home Forums AWS AWS Certified DevOps Engineer Professional Cross account and resource-level permission

  • Cross account and resource-level permission

     Jon-Bonso updated 4 years, 10 months ago 2 Members · 4 Posts
    AWS Certified DevOps Engineer Professional

  • claude

    Member
    May 2, 2020 at 10:48 am

    Hello,

    in Section-Based – Configuration Management and Infrastructure as Code (DevOps),

    the following Question :

    A multinational company is using multiple AWS accounts for its global cloud architecture. The AWS resources in their production account are shared among various business units of the company. A single business unit may have one or more AWS accounts that have resources in the production account. Recently, there were a lot of incidents in which the developers from a specific business unit accidentally terminated the Amazon EC2 instances owned by another business unit. A DevOps Engineer was tasked to come up with a solution to only allow a specific business unit who owns the EC2 instances and other AWS resources to terminate their own resources.

    How should the Engineer implement a multi-account strategy to satisfy this requirement?

    inherits the following response :

    Centrally manage all of your accounts using AWS Organizations. Group your accounts, which belong to a specific business unit, to individual Organization Units (OU). Set up an IAM Role in the production account which has a policy that allows access to the EC2 instances including resource-level permission to terminate the instances owned by a particular business unit. Associate the cross-account access and the IAM policy to every member accounts of the OU.

    Can you please detail : “a policy that allows access to the EC2 instances including resource-level permission to terminate the instances owned by a particular business unit.”

    How can a single policy be used by multi account since there’s no aws:account variable in IAM ?

    In my comprehension, several roles are needed for such use case.

    thanks for your help,

    BR, CB.

  • Jon-Bonso

    Administrator
    May 5, 2020 at 8:45 am

    Hi Claude,

    To accomplish this, you can add the aws:PrincipalOrgPaths condition in the policy of your IAM Role. Set the value to the organizational unit ID of the caller in the resource-based policy attached to your resource.

    For more information, please refer here:

    https://aws.amazon.com/blogs/security/iam-share-aws-resources-groups-aws-accounts-aws-organizations/

    Let us know if you need further assistance. The Tutorials Dojo team is dedicated to help you pass your AWS exam on your first try!

    Regards,

    Jon Bonso @ Tutorials Dojo

    • This reply was modified 4 years, 10 months ago by  Jon-Bonso.

  • claude

    Member
    May 5, 2020 at 4:53 pm

    Hello,

    Thank you very much for explanations. I’m definetely learning a lot here !

    BR,

    CB.

    • This reply was modified 4 years, 10 months ago by  claude.

  • Jon-Bonso

    Administrator
    May 5, 2020 at 5:08 pm

    You’re welcome, Claude! Glad to hear that you find our content helpful!

Viewing 1 - 4 of 4 replies

Log in to reply.

Original Post
0 of 0 posts June 2018
Now
Skip to content