OrganizationAccountAccessRole

0

Currently by default OrganizationAccountAccessRole role has complete access to all the resources in the member accounts. How to make it responsible only for billing by default.

Keerthi
질문됨 4달 전641회 조회
2개 답변
0

Hello,

To restrict the OrganizationAccountAccessRole role to only have access to billing in the member accounts, you need to update the policy associated with this role. By default, OrganizationAccountAccessRole is created with full administrative access when an AWS Organization is created.

Here’s how to modify the role to restrict it to billing access only:

  1. Identify the Policy: Find the policy attached to the OrganizationAccountAccessRole. This is typically the AdministratorAccess policy.
  2. Create a new IAM policy that grants only billing permissions or add the AWS managed billing policy(arn:aws:iam::aws:policy/job-function/Billing)
  3. Attach this new policy to the OrganizationAccountAccessRole and detach any existing policies that grant broader permissions.
profile picture
전문가
답변함 4달 전
0

The IAM role OrganizationAccountAccessRole is created automatically in AWS accounts created via AWS Organizations. When an existing account is invited to join an AWS Org, the role isn't created automatically, but you can create it manually.

In both cases, the role is just a regular role residing inside each member account. It can only be modified or deleted by principals in the account with sufficient permissions. The management account doesn't control it directly.

From the management account or another trusted account, you can assume a role with sufficient permissions (such as the OrganizationAccountAccessRole with full access for now) in a member account to make the changes. Then repeat the process for all the other member accounts. You'll want to be careful if you're changing the role that you are currently using, of course, because if you limit your access rights before getting the configuration corrected, you might not get another chance.

전문가
Leo K
답변함 4달 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠