3 Answers
- Newest
- Most votes
- Most comments
1
Yes, it could be used to control the use of EC2 instances:
{
"Sid": "",
"Effect": "Deny",
"Action": [
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*"
],
"Condition": {
"StringNotEquals": {
"ec2:InstanceType": [
"c5.large"
]
},
"ForAllValues:StringNotLike": {
"aws:PrincipalOrgPaths": [
"o-a1234bcd/r-abc1/ou-123-xyz789/*"
]
}
}
}
This policy denies the use of c5.large instances in anything other than the specified OU.
answered 2 years ago
1
Hey - Principal Org Paths can be used to target specific OUs.
You can set a condition and use StringLike
or StringNotLike
to apply or exempt the policy from specific OUs.
"Condition": {
"ForAllValues:StringNotLike": {
"aws:PrincipalOrgPaths": [
"o-a1234bcd/r-abc1/ou-123-xyz789/*"
]
}
}
The above condition means that the policy would not apply to that specific OU.
answered 2 years ago
Thank you!!!
Could it be used to restrict specific instances (EC2) to prod/dev OUs?
0
Take a look at this blog post- How to control access to AWS resources based on AWS account, OU, or organization.
answered 2 years ago
Relevant content
- asked a month ago
- Accepted Answerasked 4 years ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 8 months ago
Thank you!!