- Le plus récent
- Le plus de votes
- La plupart des commentaires
Hi, The policy you used gives users with the same division type access to start the instances. this however doesn't imply that only they can do the actions. Therefore, assuming your user still has ec2:StartInstances or ec2:* to resources:*, you won't be revoked of that access.
Since it is evident that you are using AWS Organizations, I recommend using Custom Service Control Policies instead.
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html
Hi Gab, thanks for your reply!
I had used a test account that had no other permissions. The account was unable to start/stop instances first, and it worked after the Division had been set accordingly. But it keeped working after I changed the Division back, for quite some time, until eventually it stopped. Weird, but in the end, no big problem.
Whoops, and after a month I come back and find this draft stil unsent - sorry. Yeah, I had opened a browser tab to check out the Service control policies stuff, and never got around to it, until now. Interesting stuff, actually! Another layer of control, that's cool. Not sure yet how to apply it in my case. They deny access to ressources, but if I set such a rule via SCP that denies if the Division does not match, ow would I make exceptions? But that's getting outside of this questions's scope I guess, I'll just keep on reading on that stuff.
Contenus pertinents
- demandé il y a 8 mois
- demandé il y a 8 mois
- demandé il y a 2 mois
- demandé il y a un an
- AWS OFFICIELA mis à jour il y a 2 ans
- AWS OFFICIELA mis à jour il y a 2 ans
- AWS OFFICIELA mis à jour il y a un an