Permissions Boundary
A critical component of the Cloud Management Program (CMP) is the enforcement of our Permissions Boundary in the Management Account. Our Permissions Boundary is designed to follow the End Customer Account Model (ECAM) that we go under when reselling AWS services. As part of the agreement with AWS we need to follow some guidelines:
- Prevent access to Billing in the Management Account (Organization level).
- Ensure the protection of our Playground Tech resources.
We adhere to these guidelines by enforcing the Permissions Boundary.
What does it mean for you?
The Permissions Boundary restricts you from performing certain actions within the Management Account. You are restricted from:
- Access Billing in the Management Account.
- We’ll set up and provide you with access to a 3rd party FinOps tool called Vantage, where you can view your costs at an even more granular level.
- Access Playground Tech resources.
- Create additional access in the Management Account without attaching our Permissions Boundary (PlaygroundTechPermissionsBoundary).
- This includes creating IAM Users, IAM Roles, and delegating access to the Management Account through SSO (IAM Identity Center).
- As long as you attach the Permissions Boundary, the action will be permitted!
Beyond the points mentioned, you can still manage the Management Account as you wish!