Reputation: 25
AWS SCP policies - combining statements
There's a limit on assigning SCP policies on Root/OUs and to save resources I'm trying to combine 2-3 policy statements together into one SCP, but this doesn't seem to work.
Does anyone have an example of how it is done in their 'organization'?
e.g. with terraform (but the json is the important part not the creation method):
resource "aws_organizations_policy" "Allowed_EC2_AND_ES_InstanceTypes" {
name = "Allowed_EC2_AND_ES_InstanceTypes"
type = "SERVICE_CONTROL_POLICY"
description = "Policy that defines which EC2 and ES Instance Types are allowed (applied via terraform)"
tags = {"purpose": "limit EC2-ES family types"}
content = <<CONTENT
{
"Version": "2012-10-17",
"Statement1": [
{
"Sid": "Statement1",
"Effect": "Deny",
"Action": ["ec2:RunInstances"],
"Resource": ["arn:aws:ec2:*:*:instance/*"],
"Condition": {
"StringNotLike": {
"ec2:InstanceType": [
"t3.*",
"m5.*",
"r5.*",
"c5.*",
"m6i.*"
]
}
}
}
],
"Statement2": [
{
"Sid": "Statement2",
"Effect": "Deny",
"Action": [
"es:CreateDomain",
"es:CreateElasticsearchDomain"
],
"Resource": [
"*"
],
"Condition": {
"ForAnyValue:StringEquals": {
"aws:PrincipalType": [
"t2.*",
"c4.*",
"m3.*",
"m4.*",
"r3.*",
"r4.*"
]
}
}
}
]
}
CONTENT
}
Many thanks in advance!
Upvotes: 0
Views: 875
Answers (1)
Reputation: 2295
I think there should be one "Statement" : []. Inside this [ ], multiple items which start from "Sid": are written.
In aws-doc:
The Statement element is the main element for a policy. This element is required. The Statement element can contain a single statement or an array of individual statements. Each individual statement block must be enclosed in curly braces { }. For multiple statements, the array must be enclosed in square brackets [ ].
"Statement": [{...},{...},{...}]
Therefore your example shown should be like this.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Deny",
"Action": [
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*"
],
"Condition": {
"StringNotLike": {
"ec2:InstanceType": [
"t3.*",
"m5.*",
"r5.*",
"c5.*",
"m6i.*"
]
}
}
},
{
"Sid": "Statement2",
"Effect": "Deny",
"Action": [
"es:CreateDomain",
"es:CreateElasticsearchDomain"
],
"Resource": [
"*"
],
"Condition": {
"ForAnyValue:StringEquals": {
"aws:PrincipalType": [
"t2.*",
"c4.*",
"m3.*",
"m4.*",
"r3.*",
"r4.*"
]
}
}
}
]
}
Upvotes: 3
Related Questions
- Describe a member AWS account's SCP without assuming to the AWS management account
- SCP to local dir
- how to combine two IAM policies together
- Do SCP Policies affect S3 Lifecycles?
- SCP to deny all resources except certain resources in AWS Organization
- How can one detect the AWS resources which violates/contradicts with AWS SCP policy violations
- AWS SCP for EC2 type
- Logical or in policy condition AWS
- How to merge AWS S3 bucket policies?
- Simplify multiple AWS S3 Policies