Is it possible to start AWS SCP with a default blacklist--and incrementally add rights?
In a Pluralsight SCP course I'm working through, the instructor (Brian Eiler) described the normal state of affairs (with the Root having AWSFullAccess), but then went on to say that it could be handled the other way around–that it's possible to give the root account an SCP that grants nearly nothing and have child OUs/Accounts add permissions to that minimal set.
For learning purposes I thought I'd try this out. I proceeded as follows.
I created a new SCP: No-op
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Action": [
"iam:GetLoginProfile"
],
"Resource": "*"
}
]
}
I added this No-op policy to the Organization Root account and then detached the standard FullAWSAccess SCP.
I next proved out that a user with full account rights could not list, let alone create, an EC2 instance in an account under the organization named Fun-One. So far, so good.
I then created a new SCP policy: Allow-EC2
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Action": [
"ec2:*"
],
"Resource": "*"
}
]
}
I added the Allow-EC2 SCP policy to Fun-One and expected that admin user to now be able to list and create EC2s.
Not so.
I tried many things. Nothing worked. But when I added the Allow-EC2 SCP to the root OU, the admin user was able to list and create EC2s in Fun-One.
So it appears the tale I was told is not true. I've provided that material (down below) as an "answer" to this post.
My question is this: who is confused? Me? Or the instructor?
POSTSCRIPT:
Rohit's answer matches my experience. If Service X is denied (even implicitly) in OU A, then no child OU/Account under OU A can ever permit Service X. End of story. What the instructor said is simply not true.
You are correct if there is deny at organization level, it won't check anything downwards.
Default Way - Restrict S3 Access for an Organization Unit:
- you already have FullAWS Access in SCP
- restrict S3 Access by adding DENY S3
You can Implement otherway around: For Example: I have an OraganizationUnit where I only want S3 Access:
- I will remove FullAWSAccess and only Allow S3 Access.
Facts to understand before designing these type of policies.
- Deny wins over allow, if in the same policy you have a deny statement and an allow statement for the same service/action, DENY WINS.
- if you won't allow, it will be considered deny.
- you must understand why these policies are used at given stage, for example Organization Unit SCP is to control various services at account level. If an organization unit must only read data from S3 and won't update, I will only allow read for that organization unit.
- you must understand implicit and explict deny that I have mentioned at the bottom of this anwser.
I think better way to design policy approach is to understand policy evaluation logic.
I use this diagram before designing any policy, more details are here in aws documentation
Further There are two type of denies:
- Explicit: when you mention deny in the effect of policy
- Implicit: when you mention allow in the effect but operation that is not mentioned will be considered as implicit deny.
- AWS AppSync Lambda authoriser always results in "Error: Request failed with status code 401"
- How to make CloudFront never cache index.html on S3 bucket
- AWS Cognito - How to force select account when signing in with Google
- aws_instance - changing volume_size
- couldn't get current server API group list: the server has asked for the client to provide credentials error: You must be logged in to the server
- aws s3 ls: An HTTP Client raised an unhandled exception: Invalid header value
- LocalStack TestContainer + AWS SQS + Spring Boot -> Unable to execute HTTP request
- Deleting cognito user & identity has no affect on user access
- I am trying to add a cloudfront behavior to my an origin and I am getting InvalidArgument: The parameter CachedMethods is required
- Zip multiple S3 files and stream the archive back to S3 using limited memory
- AWS public IPv4 address usage
- run scheduled task in AWS without cron
- Why can't I connect AWS RDS instance from EC2 instance in another VPC after peering
- Target Group Binding not getting created for an ALB
- How to rename MYSQL database in RDS?
- Why does Getting a record, modifying its primary key, and then Putting it back seem to overwrite the record if the primary keys are different?
- How do you add python packages in AWS Glue 3.0 Jupyter Notebook jobs?
- Running Jupyter Notebook on AWS Lambda
- Use AWS Lambda to execute a jupyter notebook on AWS Sagemaker
- Retrieve Amazon Reviews user emails through API
- How to link "aws_apigatewayv2_route" with "aws_apigatewayv2_integration"?
- Security group setup to restrict EC2 to VPC lambda
- Get files names in sub-directories in a directory in AWS3 by C#
- AWS EC2 Connection closed by when trying ssh into instance
- Selling Partner API Amazon 400 bad request
- AWS credentials from 'Single Sign On' expire too frequently - how can I get credentials with a longer lifetime?
- How to connect a lambda to a database accessible locally on Mac's localhost when using sam
- AWS EC2 Placement Groups: Partition vs Spread
- Can I trace every request using AWS X-Ray?
- Lambda cold start possible solution?