1개 답변
- 최신
- 최다 투표
- 가장 많은 댓글
1
If the only SCP you have enabled is to disable root for member accounts then no non-root functionality inside the account should stop working. Joining an Organization is also a two way door. You can remove the account from the Organization if there are unintended issues. Is the SCP at the root level of the Org or at each OU? One best practice is to have a transitional OU with limited controls for bringing in new accounts. Once the account is in the Org without issues and everything is working, you can move it to its permanent OU with the SCP(s) in place.
답변함 일 년 전
관련 콘텐츠
- AWS 공식업데이트됨 3년 전
Thanks for posting! The SCP is applied at the individual OUs and not at the root. This was on purpose so that when the account joins, it will initially join without the SCP taking effect. The plan is to move the account into the OU once it has joined without issues. I like the idea of a transitional OU, can you invite an account into an initial OU? So far I've only seen them join the root.
You are correct. However that should not be a concern since root SCPs are inherited regardless. Once the account is added just move it to the Transitional OU. This way any additional OU level policies for standard accounts won't apply to the new account until you are ready.