- Le plus récent
- Le plus de votes
- La plupart des commentaires
I think you got it right. There is a feedback link on top of the page you could report this. In the past I've had rather good experience with this and have got very quick responses.
I also believe you're quite right, and the documentation is simply wrong. As the exact same documentation page clearly says at the very beginning:
For a permission to be allowed for a specific account, there must be an explicit Allow statement at every level from the root through each OU in the direct path to the account (including the target account itself).
And later on the page (https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html#scp-effects-on-permissions):
If a permission is blocked at any level above the account, either implicitly (by not being included in an Allow policy statement) or explicitly (by being included in a Deny policy statement), a user or role in the affected account can't use that permission, even if the account administrator attaches the AdministratorAccess IAM policy with / permissions to the user.
Only having an "Allow EC2 access" SCP attached to both the Sandbox OU and the accounts A, B, and C inside it will only allow access to EC2 and implicitly deny everything else in all three accounts.
I'd like to point out as a general consideration on SCPs that the "Condition" clause only works in "deny" policy statements. That makes it very limited to control access with SCPs by allowing only the intended actions and relying on implicit denies to block the rest. It's more powerful always to allow all access at every level of the hierarchy and to apply an explicit "deny" for what is to be blocked.
It's technically possible to apply both, like excluding some services entirely by not allowing them and explicitly denying more specific actions with the help of the "Condition" clause for scoping (such as preventing only certain administrative IAM roles and policies from being deleted, detached, or modified), but it tends to get much more difficult for humans to comprehend than only using "denies" or "allows" to control access.
Hello,
SCP evaluation follows a deny-by-default model, meaning that any permissions not explicitly allowed in the SCPs are denied. If an allow statement is not present in the SCPs at any of the levels such as Root, Production OU or Account B, the access is denied.
As you can see from the example, SCP has allowed full access at the root level, then there is no specific SCP deny statements at Sandbox OU level and account(Only allow EC2 permissions). Therefore Account A, B and C will have full access administrative permissions.
Contenus pertinents
- demandé il y a 3 ans
- demandé il y a 10 mois
- demandé il y a 3 ans
I still don't think so. Documentation is misleading to me.
This statement (your quote)
and this statement (my quote) conflict
Your quote says any, which I interpret it must appear at least once and my quote says every, which I interpret it must appear at every level.
I tested with Full AWS access at Root, Full AWS access removed at Sandbox, Full AWS access at Account A The consequence was that I had no permissions at Account A. The error statement in Account A reads as