AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |
Back to Blog
Aws chatbot guardrail policy1/12/2024 The effective privileges for an IAM principal are the intersection of the SCPs applied to their account and IAM policies applied to the principal Think of the relationship between SCPs and IAM policies as two overlapping circles, with the intersection of them being the allowed actions. It only means that the SCP is not further restricting them. For example, the default SCP is Allow * on *, but this doesn’t mean that anyone in the accounts can do anything. SCPs are similar to IAM boundaries, in that they define the maximum set of actions that can be allowed, but do not actually grant any privileges. If an S3 bucket is public, an SCP will not be able to stop random Internet users from accessing that S3 bucket (although an SCP can stop that S3 bucket from being made public in the first place, as will be explained later). A common confusion is people incorrectly assuming that they can somehow block public access to an S3 bucket from users outside of an account by using SCPs. SCPs also cannot restrict principals outside of the Organization. This means you should not put S3 buckets, EC2s, or any other resources in your Organization Master because you cannot use SCPs to create guardrails around that. This is a primary reason why it is best practice not to use the Organization Master account for anything other than Organization activities. SCPs cannot restrict the Master account of the Organization. This may be needed in cases where the initial setup requires you to make AWS calls that you would not otherwise want to allow. You can also create a nursery OU where you create AWS accounts, set up their baselines, and then move them to their final destination. This means you can create heavily restrictive SCPs for a production AWS account, and less restrictive (or different) SCPs for a sandbox account. These OUs can have different SCPs applied to them and the accounts can be moved between OUs. AWS accounts can be organized in AWS Organizations into Organization Units (OUs), which can have child OUs and member accounts.
0 Comments
Read More
Leave a Reply. |