- Le plus récent
- Le plus de votes
- La plupart des commentaires
Hello.
As I answered in the following post, I think it can be controlled by using "Condition".
The "aws:PrincipalArn" can be controlled by setting it to the ARN of the IAM role used by Lambda.
https://repost.aws/questions/QUaLMr8nNLRIS4-gol-sknMQ/prevent-function-deletion#ANzwYUljYfSzqiBIyWqrkdyQ
Hello, Another thing to keep in mind is that each service has their own tagging action, so you need to make sure that each tagging action for each service is restricted in the SCP. You can view the list of services and their actions within this doc: https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html
Additionally, for the conditions on restricting it to specific roles are a lambda function, they may want to use conditions such as these: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcearn https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-principalarn
Contenus pertinents
- demandé il y a un an
- demandé il y a 2 mois
- demandé il y a 6 mois
- demandé il y a 7 mois
- AWS OFFICIELA mis à jour il y a 3 ans
- AWS OFFICIELA mis à jour il y a 3 ans
- AWS OFFICIELA mis à jour il y a 6 mois