Back to Blog
U2f aws5/20/2023 ![]() ![]() Access to this role can be granted by IAM Users or IAM Roles in the Organization Management (root) account (via SSO) - as with the Organization Management (root) account credentials, these should be handled with extreme diligence, and with a U2F hardware key enabled as a second-factor (and stored in a secure location such as a safe). The ability to assume this role should be considered a 'break glass' capability - to be used only in extraordinary circumstances. Given the Organizational-wide trust relationship to the role defined in organization-admin-role (default: AWSCloudFormationStackSetAdministrationRole) and its broad exclusion from SCPs (discussed below), the assumption of this role grants 'super admin' status, and is thus an extremely high privilege operation. It is therefore crucial that the Organization Management (root) account root credentials be handled with extreme diligence, and with a U2F hardware key enabled as a second-factor (and stored in a secure location such as a safe). This is realized via the role defined in organization-admin-role (default: AWSCloudFormationStackSetAdministrationRole). This account is not used for workloads and is primarily a gateway to the entire cloud footprint for a high-trust principal. By default, this role is named the OrganizationAccountAccessRole by contrast, the AWS Secure Environment Architecture allows customers to customize this role by defining it in organization-admin-role (default: AWSCloudFormationStackSetAdministrationRole).Īs discussed, the AWS Organization resides in the Organization Management (root) account. Accounts created by AWS Organizations deploy a default role with a trust policy back to the Organization Management (root). Relationship to the Organization Management (root) AWS Account (link)ĪWS accounts, as a default position, are entirely self-contained with respect to IAM principals - their Users, Roles, Groups are independent and scoped only to themselves. The AWS Secure Environment Architecture makes extensive use of AWS authorization and authentication primitives from the Identity and Access Management (IAM) service as a means to enforce the guardrail objectives of the AWS Secure Environment Architecture, and govern access to the set of accounts that makes up the Organization. ![]() Authorization and Authentication (link) 1.1.
0 Comments
Read More
Leave a Reply. |