Find answers, ask questions, and connect with our
community around the world.

Home Forums AWS AWS Certified DevOps Engineer Professional Cross account and resource-level permission

  • Cross account and resource-level permission

  • claude

    Member
    May 2, 2020 at 10:48 am

    Hello,

    in Section-Based – Configuration Management and Infrastructure as Code (DevOps),

    the following Question :

    A multinational company is using multiple AWS accounts for its global cloud architecture. The AWS resources in their production account are shared among various business units of the company. A single business unit may have one or more AWS accounts that have resources in the production account. Recently, there were a lot of incidents in which the developers from a specific business unit accidentally terminated the Amazon EC2 instances owned by another business unit. A DevOps Engineer was tasked to come up with a solution to only allow a specific business unit who owns the EC2 instances and other AWS resources to terminate their own resources.

    How should the Engineer implement a multi-account strategy to satisfy this requirement?

    inherits the following response :

    Centrally manage all of your accounts using AWS Organizations. Group your accounts, which belong to a specific business unit, to individual Organization Units (OU). Set up an IAM Role in the production account which has a policy that allows access to the EC2 instances including resource-level permission to terminate the instances owned by a particular business unit. Associate the cross-account access and the IAM policy to every member accounts of the OU.

    Can you please detail : “a policy that allows access to the EC2 instances including resource-level permission to terminate the instances owned by a particular business unit.”

    How can a single policy be used by multi account since there’s no aws:account variable in IAM ?

    In my comprehension, several roles are needed for such use case.

    thanks for your help,

    BR, CB.

  • Jon-Bonso

    Administrator
    May 5, 2020 at 8:45 am

    Hi Claude,

    To accomplish this, you can add the aws:PrincipalOrgPaths condition in the policy of your IAM Role. Set the value to the organizational unit ID of the caller in the resource-based policy attached to your resource.

    For more information, please refer here:

    https://aws.amazon.com/blogs/security/iam-share-aws-resources-groups-aws-accounts-aws-organizations/

    Let us know if you need further assistance. The Tutorials Dojo team is dedicated to help you pass your AWS exam on your first try!

    Regards,

    Jon Bonso @ Tutorials Dojo

    • This reply was modified 3 years, 9 months ago by  Jon-Bonso.
  • claude

    Member
    May 5, 2020 at 4:53 pm

    Hello,

    Thank you very much for explanations. I’m definetely learning a lot here !

    BR,

    CB.

    • This reply was modified 3 years, 9 months ago by  claude.
  • Jon-Bonso

    Administrator
    May 5, 2020 at 5:08 pm

    You’re welcome, Claude! Glad to hear that you find our content helpful!

Viewing 1 - 4 of 4 replies

Log in to reply.

Original Post
0 of 0 posts June 2018
Now