Using Amazon service control policy to restrict Amazon Workspaces with encypted volumes

0

I'm trying to create a service control policy to restrict creating Amazon Workspaces only with encrypted volumes. For example:

{
	"Effect": "Deny",
	"Action": [
		"workspaces:CreateWorkspaces"
	],
	"Condition": {
		"ForAnyValues:Bool": [
		        {"workspaces:UserVolumeEncryptionEnabled": "false"},
	            {"workspaces:RootVolumeEncryptionEnabled": "false"}
	    ]
	},
	"Resource": [
		"*"
	]
}

However, the service control policy editor gives me an error: "The provided policy document does not meet the requirements of the specified policy type." Why is this happening?

Phil_S
asked 2 years ago46 views
1 Answer
0
Accepted Answer

Amazon WorkSpaces doesn't have any service level condition keys that you can use with a service control policy. Therefore, specifying the "workspaces:userVolumeEncryptionEnabled" as a condition in your policy will cause an error. For more information, see Specify WorkSpaces resources in an IAM policy.

profile picture
EXPERT
Dzung_N
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions