Good morning, everyone! My security team is concerned about the Administrator managed policy attached to my OrganizationAccountAccessRole. I want to keep this role available for access in case the Identity Center encounters issues, but I need to reduce its permissions. Can anyone suggest a more suitable policy that meets security standards while allowing necessary access?
4 Answers
You might look into setting up an AccountAccessLimitedRole with ReadOnly or ViewOnly permissions. You can extend it with iam:PassRole and sts:AssumeRole for extra flexibility. Adding a condition like PrincipalAccountID could help tighten up security even further.
I’d suggest considering an org-wide SCP to prevent modifications to the assumerope policy and related policies for member accounts. If your organization is highly regulated, limiting the accounts in scope and keeping this role solely under the billing umbrella might be wise.
Oh, I feel you! It's almost like security teams are just browsing ChatGPT for advice nowadays. I totally agree with CloudGuardian—education is key. You should definitely implement Service Control Policies (SCPs) to protect that OrganizationAccess role from unwanted changes, especially its trust policy. Check out the AWS Security Reference Architecture for more support!
Hey there! I've run into similar issues before. This role's primarily used for cross-account admin tasks within AWS Organizations, and it's important to note that it's only assumable from our main organizational account, which has multi-factor authentication and two-person approvals in place. Without this role, we risk losing vital administrative capabilities. You might want to explain this setup to your security team; it's how AWS Control Tower recommends structuring things too.
Exactly! It's all about demonstrating how AWS best practices are not just theories, but proven methods.