I am messing with my AWS Organizations and I'm trying to find the way to see what Service Control Policies my identity is subject to.
For example, I have a management account where I've created an SCP to Deny bugbust:* and I've attached that SCP to Member account A. Policy Document:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
},
{
"Effect": "Deny",
"Action": "bugbust:*",
"Resource": "*"
}
]
}
When I test a bugbust action in Member account A, I am denied (as expected), and it says I am denied by my organization.
My question: Is there any way for a principal in the Member account A to see the policy document of SCP without assuming to the management account?
Ideally, I'd like to let my users in Member account A understand their SCP boundaries without giving them any organization access to the management account. I fear this is not possible, but I just wanted to confirm.
SCPs are only visible to the management account. Member accounts can view the Org they're in and leave the Org. They cannot see the policies on their account or the OU structure they're in.