- Più recenti
- Maggior numero di voti
- Maggior numero di commenti
If you have no initial access to the AWS Account, the usual approach is for you to generate an AWS CloudFormation template which will create the Role with suitable Policies attached, and pass that to the customer for them to deploy. I'd suggest using tools such as cfn-nag and CloudFormation Guard to ensure your templates are following best practices and your own requirements for least privilege access.
It's a best practice to require an External ID as part of the trust policy.
Check out this github repo where I have tried to build a solution to help you automate user group assignment to permission sets in AWS IAM Identity Center for accessing any or all AWS accounts in your organization via federated access following principles of least privilege- Automated Role Entitlements in AWS IAM Identity Center
Contenuto pertinente
- AWS UFFICIALEAggiornata 3 anni fa
- AWS UFFICIALEAggiornata un anno fa