buildmaestro
buildmaestro

Reputation: 1456

Does AWS support a global IAM policy? Easiest way to attach policy to all roles?

I have an iam policy that denies ec2 runinstance if it doesn't also include 4 required tags.

Our model is user > group > STS Assume Roles. All EC2 provisioning is done by a number of roles.

Do I have to manually attach this policy to each role, or does AWS support a global policy feature? What's the easiest way to deploy this iam policy to be global across all our accounts?

Upvotes: 2

Views: 895

Answers (1)

Steve E.
Steve E.

Reputation: 9353

Use AWS Organisations.

'My Organization' is an option on the account drop down within the console. From there it is straightforward to add a global policy. Add your JSON template to deny access to the EC2:RunInstances permission with conditions on the ec2:ResourceTag.

The Deny policy will take precedence over any allow policies you specify in the account roles.

Upvotes: 4

Related Questions