Using Amazon service control policy to restrict Amazon Workspaces with encypted volumes

Question

I'm trying to create a service control policy to restrict creating Amazon Workspaces only with encrypted volumes. For example:

```
{
	"Effect": "Deny",
	"Action": [
		"workspaces:CreateWorkspaces"
	],
	"Condition": {
		"ForAnyValues:Bool": [
		        {"workspaces:UserVolumeEncryptionEnabled": "false"},
	            {"workspaces:RootVolumeEncryptionEnabled": "false"}
	    ]
	},
	"Resource": [
		"*"
	]
}
```

However, the service control policy editor gives me an error: "The provided policy document does not meet the requirements of the specified policy type." Why is this happening?

Accepted Answer

Amazon WorkSpaces [doesn't have any service level condition keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonworkspaces.html#amazonworkspaces-policy-keys) that you can use with a service control policy. Therefore, specifying the "workspaces:userVolumeEncryptionEnabled" as a condition in your policy will cause an error. For more information, see [Specify WorkSpaces resources in an IAM policy](https://docs.aws.amazon.com/workspaces/latest/adminguide/workspaces-access-control.html#wsp_iam_resource).

Using Amazon service control policy to restrict Amazon Workspaces with encypted volumes

関連するコンテンツ