Stack Overflow
Stack Overflow

Questions tagged [aws-scp]

18 questions
1
vote
0 answers

Why aren't some of these SCP Policies working?

I have an Org with ROOT + Management Account and TWO Accounts that inherit from Root: Development and Production. In the Development Account I'm creating the following SCPs: I have DETACHED the default FullAwsAccess SCP will ONLY deny any RDS…
Dorian McAllister
  • 670
  • 9
  • 22
1
vote
0 answers

How to allow only specific OpenID Connect provider in AWS with AWS SCP?

I'm trying to limit the possibility of adding new providers to an AWS account. I'm also using Bitbucket to deploy my app via Bitbucket Pipelines and I use OpenID Connect as a secure way for the deployments. Now I have created a SCP to deny…
kapale
  • 535
  • 1
  • 7
  • 15
1
vote
1 answer

Do SCP Policies affect S3 Lifecycles?

If I create and attach the following SCP policy: { "Version": "2012-10-17", "Statement": [ { "Sid": "Statement1", "Effect": "Deny", "Action": [ "s3:DeleteObjectVersion" …
Jonathan Duran
  • 79
  • 5
1
vote
0 answers

How can an SCP allow users to create buckets but deny making them public?

I want to prevent the users in my organization from creating public buckets as well as changing existing buckets to give them any public access. { "Version": "2012-10-17", "Statement": [ { "Sid": "S3-whitelist", "Effect":…
peer
  • 4,171
  • 8
  • 42
  • 73
0
votes
0 answers

AWS IAM policy based on PermissionSet mapping

How can I create AWS SCP conditions which restrict the scope of the policy only to AzureAD users which are members of AD group associated with a specific PermissionSet? For example, let's assume I have AD user John@domain.com, member of…
wizard
  • 1,456
  • 1
  • 11
  • 20
0
votes
0 answers

How to Enforce tagging in aws using aws organizations Service Control Policies(SCP)

I have tried different configurations of scps but still users can create resources without giving tags. Please suggest me the policy which works in this scenario. PFA example of one policy. I have tried these policies but it is not working. I am…
Sarang
  • 1
  • 1
0
votes
0 answers

AWS SCP for mandating S3 bucket encryption

I am trying to get a scp policy which would mandate s3 bucket encryption. Below given is the policy but this is providing me access denied error while trying to create bucket. { "Sid": "DenyNoEncryption", "Effect": "Deny", "Principal": { "Action":…
Beginner
  • 1
  • 3
0
votes
1 answer

Attach AWS SCP to account that affects existing resources in that account

What happens when you attach a service control policy, let's say that only allows you to launch an EC2 instance of type t2.micro (Action: ec2:RunInstances) but the account it is being attached to already has a t2.large instance running there? Does…
Console.WriteLine
  • 443
  • 8
  • 19
0
votes
0 answers

Is there an AWS SCP to deny Transfer of elastic IP's from one account to another?

I have done research and came across the scp below but after implementation, i am still able to transfer an elastic IP from one account to another. Is there any change i need to make the policy? the goal is to deny transfer of elastic IP's entirely…
Larry
  • 1
0
votes
0 answers

Prevent CodeBuild projects without VPC

I need to prevent AWS users from creating CodeBuild projects without the VPC set. My organization wants to prohibit creation and running of CodeBuild outside of a VPC. It's is not necessary to name the vpc. If the vpc is set in the project, we're…
Michael
  • 89
  • 5
0
votes
0 answers

Microsoft Azure Attribute-Based Access Control with AWS Single Sign-On

Good day everyone, I want to ask a question and i hope someone can help me here. I use Microsoft Azure SSO for AWS Account Log-In I want to use Service Control Policy for a special use case and i want to ask if this possible or not. Exanmple: I have…
Marcel Marciii
  • 1
  • 2
0
votes
0 answers

How to use SCP to restrict AWS RAM resource sharing based on matching tags attached to Principals and Resource being shared?

I want to create and attach a SCP to the AWS Organization root or an OU to allow the sharing of subnets between accounts only if the the share receiver principal (e.g., an AWS account) and the subnet being shared have the matching tags (e.g.,…
Nisman
  • 1,271
  • 2
  • 26
  • 56
0
votes
1 answer

AWS SCP with "NotAction" Deny is just... Denying..?

I am using a Service Control Policy - two actually. One which is on the root of my OU, which is the standard FullAWSAccess one. The other is a new one which I wrote: { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowSTS", …
explainthegarlic
  • 61
  • 2
0
votes
0 answers

AWS organization without SCP

In the AWS documentation of Policy evaluation logic there is the following image, describing the evaluation of policies logic: The part for SCP has the following description (upper square in the second from the left): "is the principal's account a…
poopy butthole
  • 9
0
votes
0 answers

The provided policy document does not meet the requirements of the specified policy type

I am getting an error while creating below SCP in AWS Organization. Below is the error The provided policy document does not meet the requirements of the specified policy type. code { "Version": "2012-10-17", "Statement": [ { …
Prathamesh Deore
  • 1
1
2