1 réponse
- Le plus récent
- Le plus de votes
- La plupart des commentaires
1
No, you cannot do this via SCPs alone. SCPs don't grant any actions, only allow that certain actions can be granted by identity policies, so you will have to have some identity policies involved.
Another problem you will run in to is that an explicit deny anywhere in the policy evaluation logic will result in the action being denied, even if it is also allowed. This means that if you want any principals in an account to have an action (e.g. write to a specific region), then the SCPs must allow it.
Unless you scope your regions to specific accounts or OUs, you cannot implement what you want with SCPs.
répondu il y a 2 ans
Contenus pertinents
- demandé il y a un an
- demandé il y a un an
- AWS OFFICIELA mis à jour il y a un an
- AWS OFFICIELA mis à jour il y a un an
- AWS OFFICIELA mis à jour il y a 3 ans