By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Services vanished after enabling all features in Organization

0

I lost access to my S3 buckets, Lambda functions, and CloudFront distributions after the Account Manager of the Organization I'm a member of "Enabled all features" in the organization. Strangely he can't see them either in his account so it's not a matter of him adjusting the permissions on the services. How can I regain access to what I've lost?

Topics
Management & Governance
Tags
AWS Account Management
Language
English
AWS-User-2375928
asked 2 years ago366 views
1 Answer
0

Hi There,

I understand you lost access to your S3 buckets, Lambda functions, and CloudFront distributions after the Account Manager of the Organization you are a member of "Enabled all features" in the organization.

The process of enabling "All Features" in Organizations by itself will not impact any existing resources in any of the member AWS accounts, however, depending on the SCP you have applied it will have the effect on the existing policies. By default, an SCP named “FullAWSAccess" is attached to every root, OU, and account, which allows all actions and all services. The users/roles are then restricted by the IAM policies attached directly to them.

Therefore, until you start creating and attaching the SCPs to accounts, all of your existing IAM permissions continue to operate as normal [1].

When enabling the “All Features” mode, you continue to get all the consolidated billing features plus a set of advanced feature such as SCPs, which give you fine-grained control over which services and actions that member accounts can access.

SCPs enable you to restrict, at the account level of granularity, what services and actions the users, groups, and roles in those accounts can do. SCPs are similar to IAM permission policies and use almost the exact same syntax. However, an SCP never grants permissions. Instead, SCP acts as a "filter" that enables you to restrict what service and actions can be accessed by users and roles in the accounts that you attach the SCP to.

I would highly recommend you to go through the AWS documentation on “before enabling all features” in [2] linked below to have a better understanding about enabling all features. Then, please see [3] linked below for instructions to being the process of enabling all features.

Additionally, AWS SSO [4] and IAM are completely separate services, so enabling SSO in your account will not affect IAM users, roles, or policies that you're already managing in IAM.

With AWS SSO, your users can log into the AWS resources using the identities in your existing identity source or identities you have created in the native AWS SSO Directory. Thus, AWS SSO does not use access key to access AWS resources.

Please see [4] linked below for more detail about AWS SSO and [5] for instructions to get started with AWS SSO.

Please feel free to contact us in case you have any other concerns. I will be happy to assist you further until everything is addressed.

References:

[1] Service control policies (SCPs)

https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_about-scps.html

[2] Enabling all features in your organization – Before enabling all features

https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org_support-all-features.html#before-enabling-all

 [3] Enabling all features in your organization – Beginning the process to enable all features

https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org_support-all-features.html#manage-begin-all-features

Please note that I personally value your feedback and would appreciate it if you accept and thumbs up this response if it satisfies your question

Mfanelo
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content