Greetings,
Context
We are in the process of building out our SCPs to fit our specific needs. One of the SCPs we are building is to only allow approved AWS Services.
We started with the list of necessary services, as defined in the example for SCP Regions (https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples_general.html#example-scp-deny-region)
We took that baseline set of AWS Services and added the specific list of services we wanted to allow. Our list is built off the AWS Services that were in our AWS Cloudtrail log. Just to give you a frame of reference, that's about 90 (or so) allowed Services based on our footprint.
Question
So far, the SCP seems to be working. However, I do not have a comprehensive way to validate based off CloudTrail Logs. As an example, some of the SQS message actions are not put into CloudTrail.
Is there a way to get a comprehensive log for a given SCP? In other words, a log of all SCP Denies that a particular SCP Policy is generating?
