Reputation: 113
Describe a member AWS account's SCP without assuming to the AWS management account
I am messing with my AWS Organizations and I'm trying to find the way to see what Service Control Policies my identity is subject to.
For example, I have a management account where I've created an SCP to Deny bugbust:* and I've attached that SCP to Member account A. Policy Document:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
},
{
"Effect": "Deny",
"Action": "bugbust:*",
"Resource": "*"
}
]
}
When I test a bugbust action in Member account A, I am denied (as expected), and it says I am denied by my organization.
My question: Is there any way for a principal in the Member account A to see the policy document of SCP without assuming to the management account?
Ideally, I'd like to let my users in Member account A understand their SCP boundaries without giving them any organization access to the management account. I fear this is not possible, but I just wanted to confirm.
Upvotes: 0
Views: 844
Answers (2)
Reputation: 11330
This wasn't possible at the time the question was asked, but it is possible now (since February 2023). You can create a "resource-based delegation policy" (docs here) for your organization. You can do a lot of different things, but this example policy would allow any account in your org to view the SCPs (and backup policies, AI policies, tag policies, etc) for themselves any and other account in the organization.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAllAccountsToViewOrgInfo",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"organizations:DescribeOrganization",
"organizations:DescribeOrganizationalUnit",
"organizations:DescribeAccount",
"organizations:DescribePolicy",
"organizations:DescribeEffectivePolicy",
"organizations:ListRoots",
"organizations:ListOrganizationalUnitsForParent",
"organizations:ListParents",
"organizations:ListChildren",
"organizations:ListAccounts",
"organizations:ListAccountsForParent",
"organizations:ListPolicies",
"organizations:ListPoliciesForTarget",
"organizations:ListTargetsForPolicy",
"organizations:ListTagsForResource"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:PrincipalOrgID": "o-YOUR-ORG-ID"
}
}
}
]
}
Note that the Condition here isn't strictly necessary (because it's not possible to call these APIs cross-organization), but your security team might feel more comfortable with it in place.
Upvotes: 0
Reputation: 26
SCPs are only visible to the management account. Member accounts can view the Org they're in and leave the Org. They cannot see the policies on their account or the OU structure they're in.
Upvotes: 1
Related Questions
- SCP made for blocking non MFA users is blocking other AWS actions
- How to confirm which AWS account I am launching Sceptre on?
- How to require users to set their role_session_name with scp
- SCP to deny all resources except certain resources in AWS Organization
- How can one detect the AWS resources which violates/contradicts with AWS SCP policy violations
- AWS SCP policies - combining statements
- AWS Organization accounts manangement
- AWS SCP for EC2 type
- Aws Organization - handover the member account to other parties
- AWS Disallow Actions as a Root User with SCP