|
|
|
|
|
|
by albert_e
1320 days ago
|
|
|
> Don’t do this! Any principal in your management account, by default, is able to assume the OrganizationAccountAccessRole in each and every one of the accounts created using the organizations:CreateAccount API. I should note that if you use AWS Control Tower Account Factory to create the member accounts then this role does not get created. The "Audit" account that is created by Control Tower is probably the best one to serve as the Administrative Access Account |
|
|
This is an untrue statement. For a principal in the management account to assume OrganizationAccountAccessRole, they need to have a principal-based policy that gives sts:AssumeRole permissions for it. Otherwise, great article. We use this pattern at $DAYJOb