SCPs - conditions for a specific OU?

Question

I know I can assign SCPs to a specific OU. Am I able to apply an SCP at root, but then limit or choose specific OUs within the json file?

So for example, restrict resources or services in all OUs except one? It would be useful for us with dev and prod.

Accepted Answer

Yes, it could be used to control the use of EC2 instances:

```
{
        "Sid": "",
        "Effect": "Deny",
        "Action": [
          "ec2:RunInstances"
        ],
        "Resource": [
          "arn:aws:ec2:*:*:instance/*"
        ],
        "Condition": {
          "StringNotEquals": {
            "ec2:InstanceType": [
              "c5.large"
            ]
          },
          "ForAllValues:StringNotLike": {
            "aws:PrincipalOrgPaths": [
              "o-a1234bcd/r-abc1/ou-123-xyz789/*"
            ]
          }
        }
      }
```
This policy denies the use of c5.large instances in anything other than the specified OU.

Answer

Hey - [Principal Org Paths](https://docs.amazonaws.cn/en_us/organizations/latest/userguide/orgs_permissions_overview.html) can be used to target specific OUs.

You can set a condition and use `StringLike` or `StringNotLike` to apply or exempt the policy from specific OUs.

```
"Condition": {
                "ForAllValues:StringNotLike": {
                  "aws:PrincipalOrgPaths": [
                    "o-a1234bcd/r-abc1/ou-123-xyz789/*"
                  ]
                }
              }
```
The above condition means that the policy would not apply to that specific OU.

Answer

Take a look at this blog post-  How to control access to AWS resources based on AWS account, OU, or organization.

URL: https://aws.amazon.com/blogs/security/how-to-control-access-to-aws-resources-based-on-aws-account-ou-or-organization/

SCPs - conditions for a specific OU?

Relevant content