- 新しい順
- 投票が多い順
- コメントが多い順
Hello.
As I answered in the following post, I think it can be controlled by using "Condition".
The "aws:PrincipalArn" can be controlled by setting it to the ARN of the IAM role used by Lambda.
https://repost.aws/questions/QUaLMr8nNLRIS4-gol-sknMQ/prevent-function-deletion#ANzwYUljYfSzqiBIyWqrkdyQ
Hello, Another thing to keep in mind is that each service has their own tagging action, so you need to make sure that each tagging action for each service is restricted in the SCP. You can view the list of services and their actions within this doc: https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html
Additionally, for the conditions on restricting it to specific roles are a lambda function, they may want to use conditions such as these: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcearn https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-principalarn
関連するコンテンツ
- AWS公式更新しました 2年前