Closed harry1C-cw closed 3 months ago
I would strongly advise not doing this - the management account should be handled separately. The people with access to it should be very tightly controlled and have the correct experience and knowledge to work with such a highly privileged account. If the management account has been used for workloads my best advice is to start migrating these out to member accounts otherwise you will find yourself in a security nightmare.
There are some resources i.e. CfCT that need to be deployed into the managment account and managed by our teams, it would be preferable to have the ability to temporarily grant access to these resources (even for "admins") rather than having permanent access.
as @reidca has explained leveraging TEAM for management account access is an anti-pattern. However in cases where this is required, refer to the documentation on Deploying TEAM into management account
Describe the bug
I would like users to be able to request elevated access to my organisation's management account. However, this account is not showing within the list of eligible accounts when attempting to create an Eligibility Policy
To Reproduce Steps to reproduce the behavior:
Expected behavior The Management account is able to be selected under the List of Eligible Accounts
Screenshots![image](https://github.com/aws-samples/iam-identity-center-team/assets/91198057/23096190-babe-463a-87e4-4cd75e2d6a08)
Context I understand TEAM is not designed to do this. However, for organisations with management accounts that may not be following best practices. It would be helpful to be able to manage privileged access in this account