ACM.398 A policy cannot limit access to itself and the ARN is random
In the last post, I automated the deployment of my AWS Organization Resource Policy which defines Managing Director accounts for the AWS Organizations service.
Next, I was going to add an admin user to the account I had delegated access to to the organizations, but I spent way too much time on this, so this becomes its own post.
I was thinking of creating a default admin user in each account in case of emergency. The admin user would be restricted by service control policies. I thought maybe I could write a single admin service control policy that would limit the new user’s access to my root-orgadmin account. The account will be all-powerful but didn’t want it – or any other admin – to be able to change the admin’s SCP.
I’ve encountered a few obstacles and probably won’t use SCP for this purpose.
What restrictions do we want to impose on our default admin users?
For the orgroot-root user, we want broad enough permissions to troubleshoot as needed across all accounts in case of an emergency.
The main service control policy I want to enforce right now is a restriction on changing other people’s credentials. I’ve looked at how to do this in previous articles with IAM policies.
Creating a service control policy for this based on principal was complicated, but I found a few additional possible options we can try: