- Neueste
- Die meisten Stimmen
- Die meisten Kommentare
Enabling the "Disallow Actions as a Root User" will basically apply this SCP which will prevent you from setting up MFA for the root user. Disable it temporarily and follow the steps listed here to enable MFA for root. Once that is done re-enable the control.
With regards to the other controls we recommend that you create a PolicyStagingOU
and test the effect of guardrails in that OU before you enable them on OUs that contain running workloads. Preventative guardrails/controls are implemented using SCPs behind the scenes. SCPs can cause issues especially in account that have workloads that provision or terminate resources through automation. We recommend that you test the effects of SCP in PolicyStagingOU
before attaching them to the root.
Detective guardrails may not be as problematic as they are implemented as AWS Config rules behind the scenes and will only mark resources out of compliance, but won't necessarily prevent you from provisioning resources or making API calls.
Click here to learn more about the different types of controls.
This blog may also provide some useful information.
I hope this helps. Let me know if anything need clarification.
Relevanter Inhalt
- AWS OFFICIALAktualisiert vor 2 Jahren
- AWS OFFICIALAktualisiert vor 2 Jahren
- AWS OFFICIALAktualisiert vor 2 Jahren
- AWS OFFICIALAktualisiert vor 2 Jahren
Hello.
Thank you for your answer.
I understand if the elective controls were applied with success over current accounts, and in the future I need to create new accounts and create s3 buckets in that account, I should create account within a temporary OU?, because control named " Disallow Changes to Encryption Configuration for Amazon S3 Buckets" let me to create bucket but an error will appear: "Insufficient permissions to apply Default Encryption. You need the s3:PutEncryptionConfiguration permission to apply Default Encryption on this bucket. After you or your AWS admin has updated your IAM permissions to allow s3:PutEncryptionConfiguration, go to edit Default Encryption."
When project or implementation s3 buckets finish, I could move that account to the final OU.?