I have set up an EC2 instance in the public segment to serve as a jump server.
For the jump server, I have configured the VPC endpoints for singIn and console to enable private access to the Management Console, and I have set up private DNS for each.
DNS lookups on the jump server are directed to the private DNS.
I have added the following settings to the policy for the singIn VPC endpoint to allow access only from specific organization IDs.
{
“Version”:“2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Principal”: “”,
“Action”: “”,
“Resource”: “*”,
“Condition”: {
“StringEquals”: {
“aws:PrincipalOrgId”: “organizationId”
}
}
}
]
}
In this scenario, I expected that logging into Identity Center would grant access to accounts within the same organization, while access to other organizations or accounts would be denied. However, the result is that all requests are blocked as being outside the scope of private access.
Additionally, when I set the policy to full access, I can log in to all accounts, so I believe the other settings are correct.
What should I do to make it work as expected?
