CODEWITHSUNDEEP
securityamazon-iam
Scilla
Scilla

Reputation: 385

AWS Disallow Actions as a Root User with SCP

Aws best practices recommends to secure aws accounts by disallowing account access with root user credentials.

this is the template they provide with


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "GRRESTRICTROOTUSER",
      "Effect": "Deny",
      "Action": "*",
      "Resource": [
        "*"
      ],
      "Condition": {
        "StringLike": {
          "aws:PrincipalArn": [
            "arn:aws:iam::*:root"
          ]
        }
      }
    }
  ]
}

The way I understand this is that if I attach this to my account, I will not have permissions anymore as root. But I do. And I if wouldn't it means I'd lock myself out from any operation.

However, if I add this to another account created, the permissions for that account and any other IAM users in that account are not having permissions anymore.

I am confused. here are the docs for Disallow Creation of Access Keys for the Root User

Update

The way I am implementing the policy is through Organizations SCP.

I think the policy is supposed to be implemented through Control Tower. That is why I think what I am trying to achieve is not possible. I am still not clear about it, therefore not an answer.

Upvotes: 1

Views: 3841

Answers (1)

Michael C.
Michael C.

Reputation: 111

It might be that your account where this SCP is not working is your management (formerly called master) account.

According to the docs:

Important: SCPs don't affect users or roles in the management account. They affect only the member accounts in your organization.

Upvotes: 5

Related Questions