- 최신
- 최다 투표
- 가장 많은 댓글
Hello,
To restrict the OrganizationAccountAccessRole role to only have access to billing in the member accounts, you need to update the policy associated with this role. By default, OrganizationAccountAccessRole is created with full administrative access when an AWS Organization is created.
Here’s how to modify the role to restrict it to billing access only:
- Identify the Policy: Find the policy attached to the OrganizationAccountAccessRole. This is typically the AdministratorAccess policy.
- Create a new IAM policy that grants only billing permissions or add the AWS managed billing policy(arn:aws:iam::aws:policy/job-function/Billing)
- Attach this new policy to the OrganizationAccountAccessRole and detach any existing policies that grant broader permissions.
The IAM role OrganizationAccountAccessRole is created automatically in AWS accounts created via AWS Organizations. When an existing account is invited to join an AWS Org, the role isn't created automatically, but you can create it manually.
In both cases, the role is just a regular role residing inside each member account. It can only be modified or deleted by principals in the account with sufficient permissions. The management account doesn't control it directly.
From the management account or another trusted account, you can assume a role with sufficient permissions (such as the OrganizationAccountAccessRole with full access for now) in a member account to make the changes. Then repeat the process for all the other member accounts. You'll want to be careful if you're changing the role that you are currently using, of course, because if you limit your access rights before getting the configuration corrected, you might not get another chance.
How can I change it from the management account?
One way would be to switch to each of the member account from the management account and manually perform the IAM policy changes: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html