1개 답변
- 최신
- 최다 투표
- 가장 많은 댓글
1
No, you cannot do this via SCPs alone. SCPs don't grant any actions, only allow that certain actions can be granted by identity policies, so you will have to have some identity policies involved.
Another problem you will run in to is that an explicit deny anywhere in the policy evaluation logic will result in the action being denied, even if it is also allowed. This means that if you want any principals in an account to have an action (e.g. write to a specific region), then the SCPs must allow it.
Unless you scope your regions to specific accounts or OUs, you cannot implement what you want with SCPs.
답변함 2년 전
관련 콘텐츠
- AWS 공식업데이트됨 2년 전