Reputation: 1456
Does AWS support a global IAM policy? Easiest way to attach policy to all roles?
I have an iam policy that denies ec2 runinstance if it doesn't also include 4 required tags.
Our model is user > group > STS Assume Roles. All EC2 provisioning is done by a number of roles.
Do I have to manually attach this policy to each role, or does AWS support a global policy feature? What's the easiest way to deploy this iam policy to be global across all our accounts?
Upvotes: 2
Views: 895
Answers (1)
Reputation: 9353
Use AWS Organisations.
'My Organization' is an option on the account drop down within the console. From there it is straightforward to add a global policy. Add your JSON template to deny access to the EC2:RunInstances permission with conditions on the ec2:ResourceTag.
The Deny policy will take precedence over any allow policies you specify in the account roles.
Upvotes: 4
Related Questions
- AWS IAM find a role that has a specific policy?
- How to Attach IAM role for multiple instances in a one shot
- AWS IAM Roles: Policy with permissions only over the instance itself and not every resource
- How to set policy for IAM user group?
- IAM- Switch role for AWS access and policies limit
- Does AWS IAM support a policy that permits all accounts within an AWS Organization?
- How to add IAM policy for all existed users and new users in AWS IAM?
- AWS IAM Policy to Grant All service permission to specific instances
- AWS: Assinging IAM roles to IAM users
- Is there a way to reuse AWS IAM permissions policy across users and EC2 instance roles?