0

How can I create AWS SCP conditions which restrict the scope of the policy only to AzureAD users which are members of AD group associated with a specific PermissionSet?

For example, let's assume I have AD user John@domain.com, member of "NoEC2Access" AD Group. This AD Group is mapped to "noEC2" PermissionSet.

I want to create and SCP, to be applied to some OUs, that will deny all the "ec2:*" actions to all users that are members of a group which has "noEC2" PermissionSet mapped to it.

{
   "Version": "2012-10-17",
   "Statement": [
      {
        "Effect": "Deny",
        "Action": ["ec2:*"],
        "Resource": "*"
      },
      "Condition": {
            <HERE THE CONDITION>
      }
    ]
}

Thanks

wizard
  • 1,456
  • 1
  • 11
  • 20
  • That is not what SCPs are supposed to be used for. Instead you just give the role mapped by that AD group the necessary permissions. You do not want to replicate your entire IdP permission setup in the SCP. – luk2302 Aug 10 '23 at 18:06
  • @luk2302 you're right, but the example is there only to give a quick hint of what I'm looking for... the real scenario is more complex and I'd need to understand how I can use conditions to limit policy to specific PermissionSets. Thanks for your comment. – wizard Aug 11 '23 at 08:00
  • By granting the role the necessary permissions. No need for an SCP. – luk2302 Aug 11 '23 at 08:01

0 Answers0