Al usar AWS re:Post, aceptas las AWS re:Post Términos de uso
AWS re:Postre:Post

Comprehensive Log of SCP Deny actions

0

Greetings,

Context We are in the process of building out our SCPs to fit our specific needs. One of the SCPs we are building is to only allow approved AWS Services.

We started with the list of necessary services, as defined in the example for SCP Regions (https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples_general.html#example-scp-deny-region) We took that baseline set of AWS Services and added the specific list of services we wanted to allow. Our list is built off the AWS Services that were in our AWS Cloudtrail log. Just to give you a frame of reference, that's about 90 (or so) allowed Services based on our footprint.

Question So far, the SCP seems to be working. However, I do not have a comprehensive way to validate based off CloudTrail Logs. As an example, some of the SQS message actions are not put into CloudTrail.

Is there a way to get a comprehensive log for a given SCP? In other words, a log of all SCP Denies that a particular SCP Policy is generating?

Temas
Gestión y gobierno
Etiquetas
AWS CloudTrailAmazon CloudWatch LogsPolítica de control de servicios
Idioma
English
rePost-User-ellicottcity
preguntada hace un año1044 visualizaciones
1 Respuesta
0

One way to determine whether a service is used by an account is to examine the service last accessed data in IAM. Another way is to use AWS CloudTrail to log service usage at the API level. Reference : https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html#scp-warning-testing-effect

profile pictureAWS
EXPERTO
AWS-User-Nitin
respondido hace un año

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas

Contenido relevante