MemberMay 2, 2020 at 10:48 am
in Section-Based – Configuration Management and Infrastructure as Code (DevOps),
the following Question :
A multinational company is using multiple AWS accounts for its global cloud architecture. The AWS resources in their production account are shared among various business units of the company. A single business unit may have one or more AWS accounts that have resources in the production account. Recently, there were a lot of incidents in which the developers from a specific business unit accidentally terminated the Amazon EC2 instances owned by another business unit. A DevOps Engineer was tasked to come up with a solution to only allow a specific business unit who owns the EC2 instances and other AWS resources to terminate their own resources.
How should the Engineer implement a multi-account strategy to satisfy this requirement?
inherits the following response :
Centrally manage all of your accounts using AWS Organizations. Group your accounts, which belong to a specific business unit, to individual Organization Units (OU). Set up an IAM Role in the production account which has a policy that allows access to the EC2 instances including resource-level permission to terminate the instances owned by a particular business unit. Associate the cross-account access and the IAM policy to every member accounts of the OU.
Can you please detail : “a policy that allows access to the EC2 instances including resource-level permission to terminate the instances owned by a particular business unit.”
How can a single policy be used by multi account since there’s no aws:account variable in IAM ?
In my comprehension, several roles are needed for such use case.
thanks for your help,
AdministratorMay 5, 2020 at 8:45 am
To accomplish this, you can add the aws:PrincipalOrgPaths condition in the policy of your IAM Role. Set the value to the organizational unit ID of the caller in the resource-based policy attached to your resource.
For more information, please refer here:
Let us know if you need further assistance. The Tutorials Dojo team is dedicated to help you pass your AWS exam on your first try!
Jon Bonso @ Tutorials Dojo
- This reply was modified 3 years, 9 months ago by Jon-Bonso.
AdministratorMay 5, 2020 at 5:08 pm
You’re welcome, Claude! Glad to hear that you find our content helpful!
Log in to reply.