Peter Bengtson

As the OP of this request, I'm checking in after a few months to see whether anything has happened to this proposed feature. I'd also like to point out that...

I couldn't wait any longer. Here's my generalised solution: https://github.com/PeterBengtson/AFT-SSO-account-configuration

Yes, of course @terencewhitenz! I'd completely forgot about [aft_vpc_endpoints](https://github.com/aws-ia/terraform-aws-control_tower_account_factory/tree/main#input_aft_vpc_endpoints) – that will certainly bring the AFT costs for a PoC down very significantly. Thanks! :)

I second this request. Permission boundaries are vital to a least-privilege system in enterprise situations, and it is the only thing preventing me from recommending Copilot wholeheartedly for a migration...

@Lou1415926 : 1. Yes, the manifests are of course editable by developers. The Boundary Permission policy will restrict what teams _actually_ can do, no matter what the teams put in...

Hi @efekarakus, @qtangs, @corey-cole! I think it would make great sense having levels here. Alternative 2 will do, and is simpler for developers, but there might be situations where the...

Hi Efe! This design looks very flexible indeed and should really do the trick. :) There's just one thing: there cannot be such a thing as assigning Boundary Permissions only...

Thanks a million for this feature! Cheers, / Peter On Tue, 27 Sept 2022 at 22:22, Janice Huang ***@***.***> wrote: > Potential future milestones: > > 1. allow passing/changing boundary...

Please see case aws/aws-cdk#3982, linked to above your reply, to suggestions by Elad and Richard giving info which seems to indicate that it's indeed possible. Judging by their comments, what...

Isn't the situation conceptually akin to prefixing every single stack name with the "namespace" prefix? OurTeam-Workload, OurTeam-Pipeline, OurTeam-WhatHaveYou, etc? This doesn't create "hard" names, which of course is something we...