Menu
I'm trying to polish the organization of my IAM roles in Amazon and their access to permissions.
I have groups, with policies attached, which map to groups within my company. I have reached the 10-policy limit on some groups.
So, users have a 10-policy limit, and a 10-group limit. If I want to keep things tidy, I can't start creating groups just for the sake of bundling unrelated policies together to try and keep everything under the limit of 10.
How is one supposed to organize permissions?
620
For more information, see IAM object quotas and IAM and AWS STS quotas name requirements, and character limits. Note: The default limit for managed policies is 10. To increase the default limit from 10 to up to 20, you must submit a request for a service quota increase.
SCPs are policies that specify the maximum permissions for an organization, organizational unit (OU), or an individual account. An SCP can limit permissions for principals in member accounts, including the AWS account root user.
You can pass a maximum of 10 managed policy ARNs when you create a session.
How should organizations manage permissions across multiple IAM users? Users can be placed into groups and permissions can be applied to the groups themselves. IAM Groups provide an easy way to manage permissions at the group level and be applied at the user level.
Two options:
Create a customer-managed policy that consolidates the access the user(s) need [Recommended]
Request that AWS raise its 10 managed policies attached to role limit for your account at the link below. That is a soft limit which you can request to be increased. Note that roles attached to groups are hard limits and cannot be increased. https://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html
74
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
