Posted On: Apr 27, 2022

Today, AWS Identity and Access Management (IAM) introduced a new way that you can control access to your resources based on the account, Organizational Unit (OU) or organization in AWS Organizations that contains your resources. AWS recommends that you set up multiple accounts as your workloads grow. Using a multi-account environment has several benefits including flexible security controls by isolating workloads or applications that have specific security requirements. With this new IAM capability, you now can author IAM policies to enable your principals to access only resources inside specific AWS accounts, OUs, or organizations.

The new capability includes condition keys for the IAM policy language called aws:ResourceAccount, aws:ResourceOrgPaths, and aws:ResourceOrgID. The new keys support a wide variety of AWS services and actions, so you can apply similar controls across different use cases. For example, you can now easily prevent your IAM principals from assuming any IAM roles outside of your own AWS account, without needing to list any specific IAM roles in your policies. To accomplish this, configure an IAM policy to deny access to AWS Security Token Service (AWS STS) assume role actions unless aws:ResourceAccount matches your unique AWS account ID. With the policy in place, when an AWS STS request is made to an account not listed in the policy, this access is blocked by default. You can attach this policy to an IAM principal to apply this rule to a single role or user, or use service control policies in AWS Organizations to apply the rule broadly across your AWS accounts.

For more information about the new condition key, see the IAM documentation.