3 Respostas
- Mais recentes
- Mais votos
- Mais comentários
1
Yes, it could be used to control the use of EC2 instances:
{
"Sid": "",
"Effect": "Deny",
"Action": [
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*"
],
"Condition": {
"StringNotEquals": {
"ec2:InstanceType": [
"c5.large"
]
},
"ForAllValues:StringNotLike": {
"aws:PrincipalOrgPaths": [
"o-a1234bcd/r-abc1/ou-123-xyz789/*"
]
}
}
}
This policy denies the use of c5.large instances in anything other than the specified OU.
respondido há 2 anos
1
Hey - Principal Org Paths can be used to target specific OUs.
You can set a condition and use StringLike
or StringNotLike
to apply or exempt the policy from specific OUs.
"Condition": {
"ForAllValues:StringNotLike": {
"aws:PrincipalOrgPaths": [
"o-a1234bcd/r-abc1/ou-123-xyz789/*"
]
}
}
The above condition means that the policy would not apply to that specific OU.
respondido há 2 anos
Thank you!!!
Could it be used to restrict specific instances (EC2) to prod/dev OUs?
0
Take a look at this blog post- How to control access to AWS resources based on AWS account, OU, or organization.
respondido há 2 anos
Conteúdo relevante
- AWS OFICIALAtualizada há 2 anos
- AWS OFICIALAtualizada há 2 meses
- AWS OFICIALAtualizada há 7 meses
Thank you!!