0

I want to block all resources except EC2, RDS and global services in AWS Organization. Below is my SCP Policy.

   {
    "Version": "2012-10-17",
    "Statement": [
    {
  "Sid": "DenyAllOutsideEU",
  "Effect": "Deny",
  "NotAction": [
    "iam:*",
    "cloudfront:*",
    "route53:*",
    "route53domains:*",
    "s3:GetAccountPublic*",
    "s3:ListAllMyBuckets",
    "s3:PutAccountPublic*",
    "shield:*",
    "sts:*",
    "support:*",
    "trustedadvisor:*",
    "waf-regional:*",
    "waf:*",
    "wafv2:*",
    "wellarchitected:*"
  ],
  "Resource": "*",
  "Condition": {
    "StringNotEquals": {
      "aws:RequestedRegion": [
        "ap-south-1"
      ]
    },
    "ArnNotLike": {
      "aws:PrincipalARN": [
        "arn:aws:iam::*:role/Role1AllowedToBypassThisSCP",
        "arn:aws:iam::*:role/Role2AllowedToBypassThisSCP"
      ]
    }
  }
}
]
}

Using this policy, I'm not able to get full access to WAF. Below is WAF service access denied error screen shot.

enter image description here

Can any one please help me to achieve this?

Lakshminarayanan S
  • 85
  • 1
  • 14
  • Does the IAM User have permission (from IAM) to use WAF? It might not be the Deny causing the problem, it might be because they are not Allowed to use it. To test: If you remove this SCP policy, can they access WAF? – John Rotenstein Mar 10 '22 at 09:17
  • Yes, I'm able to access WAF by removing the SCP policy. I have IAM Administration access so it seems the SCP policy is blocking my access – Lakshminarayanan S Mar 10 '22 at 09:43
  • Since it is a Deny policy and it includes `NotAction: wafv2:*`, then it would seem that the page you have shown is trying to call an API that is _not_ part of WAF. You might want to look at CloudTrail to see what Action was blocked. – John Rotenstein Mar 10 '22 at 09:53
  • there is no API calls in CloudTrail. Is there any policy for my requirement? – Lakshminarayanan S Mar 10 '22 at 10:10

1 Answers1

1

What you are missing is ec2:DescribeRegions.

You already have all the access you want. If you try through aws cli you can do whatever you have allowed in the policy. However Web ACLs page in AWS console has a dropdown to load all AWS regions which uses the ec2:DescribeRegions api call and if you don't have it you can't open the page. You have two options. Either add the missing permission to your policy. Or if you don't want to add that you can add region=ap-south-1 to your URL in the browser every time you navigate to WAF page.

Also I suggest you to look into arn:aws:iam::aws:policy/AWSWAFConsoleFullAccess. There are other permissions you might need. For example if you want to associate a web-acl to a Load Balancer you will need elasticloadbalancing:DescribeLoadBalancers and elasticloadbalancing:SetWebACL.

Pedram Tadayoni
  • 161
  • 1
  • 6