aws iam policy restricts access to resources based on parent cloudformation

You can create Organization Units and add accounts to them which only have access to the resources within those OU’s. It’s hierarchical, so your root account will have access to everything, so on and so forth.

Organization -> OU1 -> OU2 -> OU3

There, unfortunately, is no CloudFormation for Organizations, but the CLI is pretty straightforward.

If you wanted to automate this, I would do something along the lines of:

  1. Create Org Unit/s under root/parent OU
  2. Create Account (created in root)
  3. Move account from root to OU
  4. Generate an access key for account / create IAM and generate access key (unfortunately a ‘one-off’ manual task)
  5. Use the AWS credentials to deploy the CloudFormation stacks you wish to keep within that org unit

CLICK HERE to find out more related problems solutions.

Leave a Comment

Your email address will not be published.

Scroll to Top