Cloud Access Role Inheritance and Exemption
Even though cloud access roles can be applied to OUs, they only affect accounts attached to projects. In the case of cloud access roles, OUs help you manage roles users need on multiple projects by enabling access management at a high level. When a cloud access role is attached to an OU, it is inherited by all of that OU's descendant OUs and projects. This creates a single point where you can easily manage the role, and it will be added/updated for all descendant accounts.
Where Can You Apply Cloud Access Roles?
Cloud access roles can be applied to any OU or project in your organization. Applying a cloud access role to an OU is a good way to ensure all accounts in a particular part of your organization receive the role through inheritance.
For information about applying cloud access roles to OUs and projects, see Add a User Cloud Access Role.
How are Cloud Access Roles Inherited?
Cloud access roles applied to a parent OU are inherited by all descendant OUs and projects.
Inherited cloud access roles are not affected by cloud rules applied locally on descendant resources. In general, the higher in your organization a cloud access role is applied, the less restricted it is.
Cloud access roles do not apply to every user with access to a project. Only users who have been defined in the role can use the role. For information about adding users to cloud access roles, see Managing Cloud Access Roles.
To see which cloud access roles are applied to an OU or project, navigate to that resource's details page, click the Cloud Management tab, and select Cloud Access Roles. Here, you can see if the role was applied locally or through inheritance.
How do Exemptions Work for Cloud Access Roles?
There are two ways you can use exemptions with cloud access roles.
Exempt a cloud access role from a cloud rule. Cloud access roles and cloud rules that are applied to an OU automatically become associated.
To see which rules a cloud access role is associated with, navigate an OU or project where the cloud access role is applied, click Cloud Management > Cloud Access Roles, and click the name of the cloud access role. Here, you can request to exempt the cloud access role from locally defined cloud rules. You can only exempt a cloud access role from a cloud rule on the same OU that the cloud rule is applied or on a project.
You may need to exempt a cloud access role from a locally defined cloud rule when you are defining multiple cloud access roles on the same OU. For example, you might define an infrastructure role, a finance role, and an admin role at your highest level OU, so that they can be inherited by every project in your organization; however, you may not want the same cloud rules to apply to all of them. In this case, you would still create all of your company-wide cloud rules and top-level cloud access roles on the same OU, but you would use exemptions to refine which rules apply to which roles.
When a cloud rule is exempted on a cloud access role, only the IAM policies attached to the cloud rule are blocked. All other cloud rule components are still applied (webhooks, CloudFormation templates, AMIs, SCPs, service catalog portfolios, etc.).
Exempt a resource from a cloud access role. When a cloud access role is exempted on an OU, it is not inherited by descendant resources. This kind of exemption acts like a roadblock, completely stopping the cloud access role from moving past it.
Exemptions are only visible on the resource they are applied on. Because the exemption prevents the cloud access role from being inherited, descendant resources have no knowledge of the role and will not show that they are exempt from it on their details page. To reapply a cloud access role, you must do so on the same resource you created the exemption.
For more information about requesting exemptions, see Requesting Cloud Access Role Exemptions.
How do Cloud Rules Affect Cloud Access Roles?
Cloud access roles can carry cloud rules with them, applying the rules to descendant OUs and projects. When a cloud access role is applied to an OU, it picks up all locally applied and inherited cloud rules on that OU. As a cloud access role is inherited down the organization, it does not pick up more cloud rules. Cloud access roles only become associated with cloud rules that are applied to the same OU as they are.
To see which cloud rules are being carried by a cloud access role, navigate to the cloud access role's details page. Here, you can see which rules the cloud access role is carrying and whether they are applied locally or through inheritance.
Inherited cloud access roles are not affected by local cloud rules. It is possible that a cloud rule can be applied to an OU, but not the cloud access role on that same OU. This means that an admin cloud access role applied at the top OU level will not be affected by more granular, restrictive cloud rules further down the structure, ensuring they have full access rights to projects no matter how many OUs they pass through.
For example, if you have a financial team that needs access to the AWS Billing Console for all the AWS accounts in an organization, you can create a finance cloud access role on your top-level OU. You only have to create the cloud access role once, and the team has the same access across all AWS accounts.