3 réponses
- Le plus récent
- Le plus de votes
- La plupart des commentaires
1
Yes, it could be used to control the use of EC2 instances:
{
"Sid": "",
"Effect": "Deny",
"Action": [
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*"
],
"Condition": {
"StringNotEquals": {
"ec2:InstanceType": [
"c5.large"
]
},
"ForAllValues:StringNotLike": {
"aws:PrincipalOrgPaths": [
"o-a1234bcd/r-abc1/ou-123-xyz789/*"
]
}
}
}
This policy denies the use of c5.large instances in anything other than the specified OU.
répondu il y a 2 ans
1
Hey - Principal Org Paths can be used to target specific OUs.
You can set a condition and use StringLike
or StringNotLike
to apply or exempt the policy from specific OUs.
"Condition": {
"ForAllValues:StringNotLike": {
"aws:PrincipalOrgPaths": [
"o-a1234bcd/r-abc1/ou-123-xyz789/*"
]
}
}
The above condition means that the policy would not apply to that specific OU.
répondu il y a 2 ans
Thank you!!!
Could it be used to restrict specific instances (EC2) to prod/dev OUs?
0
Take a look at this blog post- How to control access to AWS resources based on AWS account, OU, or organization.
répondu il y a 2 ans
Contenus pertinents
- demandé il y a un an
- demandé il y a 6 mois
- demandé il y a un an
- AWS OFFICIELA mis à jour il y a 7 mois
- AWS OFFICIELA mis à jour il y a 2 ans
- AWS OFFICIELA mis à jour il y a 7 mois
Thank you!!