I am trying to temporarily grant access (break glass scenario) to a parent Organizational Unit, to assume a role called "Engineer" in the child Organizational Unit's (OU) AWS "Development" Account.
How can I effectively accomplish this?
For clarity, let's illustrate the AWS Organization structure as follows:
- Root (Management Account)
|-Foo (Parent - OU)
|-- Bar (Child - OU)
The current scenario makes this challenging:
- Bar, has an SCP applied that blocks / denies access from ALL OUs. The policy is called "DenyAccessToBar" (Please see below)
- There's an IAM policy in the Bar OU's Development account that allows the Foo OU to perform the sts:AssumeRole action on the "Engineer" role. Please see the policy below
So coming back to my question, how can I effectively implement a break-glass process for the Foo OU? Will the SCP applied on the Bar OU block the Foo OU from assuming the Engineer role in the Bar Ou's AWS Development Account?
Policies
- DenyAccessToBar (applied on the Bar OU).
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyAllAccessToBar",
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"StringEqualsIfExists": {
"aws:RequesterOrganizationalUnitId": "ou-def1234567890"
},
"StringNotEqualsIfExists": {
"aws:PrincipalOrgID": "o-123456"
}
}
}
]
}
- IAM policy applied in Development Account in Bar OU
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::DEV_ACCOUNT_ID:role/engineer",
"Condition": {
"StringEquals": {
"aws:PrincipalOrgID": "o-123456"
},
"StringEqualsIfExists": {
"aws:PrincipalOrgUnitId": "ou-abc1234567890"
}
}
}
]
}