Andremoniy
Reputation: 34900
Deny creation of new resources via Service Control Policy
Is it possible to create such a SCP (Service Control Policy) and attach it to account which denies any new resources (infrastructure) launching within this account? Assuming that the account is part of AWS Organizations.
The question arises from the following confusions:
- can SCP restrict specific actions like launching infrastructure?
- can SCP be applied on the account level (not to the organizational one!)?
Upvotes: 2
Views: 5849
Answers (1)
Andremoniy
Reputation: 34900
Yes, it is possible to do.
SCP can contain explicit deny rules, for example deny creation of any EC2-related instances and resources:
"Version": "2012-10-17", "Statement": [ { "Sid": "Statement1", "Effect": "Deny", "Action": [ "ec2:Create*" ], "Resource": "*" } ] }Any SCP can be attached to:
- Accounts
- Organizational units
- Root account
Upvotes: 2
Related Questions
- AWS allow user to create policies that doesn't create other policies?
- Allow a user to create additional users and policies only for resources he created/own
- AWS IAM, restricting an account to see and access only resources created by itself?
- AWS Policy Restrict Permission Based On Service
- AWS policy to restrict all resources creation in one region and readonly in other regions
- IAM policy allow creation of policies, but disallow changes of own account
- aws iam policy for denying users creating new roles only with my boundary policy
- Amazon IAM policy: restrict user to create group/role only if one of the attached policy is BaseDeny
- AWS IAM Role Policy Resource Restriction
- Permission to not allow IAM USER instance to create new instance