For the most recent update on ongoing service disruptions affecting the AWS Middle East (UAE) Region (ME-CENTRAL-1), refer to the AWS Health Dashboard. For information on AWS Service migration, see How do I migrate my services to another region?
AWS SCP time based
I am looking to enable a service from SCP only for certain time or if the date is not greater than a X date, how can i achieve this does SCP supports aws:CurrentTime condition ?
- Topics
- Management & Governance
- Language
- English
- Newest
- Most votes
- Most comments
In SCP alone you can not enable a service. Instead you would deny it in SCP before and after your desired window, and have an allow statement in IAM policy. Something similar to below should work for SCP Condition.
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws-dates.html
Depends on what you mean by "enable a service".
Using an SCP you can control all API action on a certain service so that they will be denied if the API calls are being made before/after a certain date.
For example:
You can create an SCP like this to block all S3 actions after a specific date:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "s3:*",
"Resource": "*",
"Condition": {
"DateGreaterThan": {
"aws:CurrentTime": "2024-09-11T00:00:00Z"
}
}
}
]
}
Hii
- SCP: A policy that controls the actions that AWS accounts can perform. It's a powerful tool for enforcing compliance and security.
- AWS: Amazon Web Services, a cloud computing platform offering various services and resources.
- aws:CurrentTime condition: A condition key that allows you to specify a time-based constraint in your SCP.
Create an SCP:
Use the AWS Management Console, AWS CLI, or AWS SDK to create a new SCP. Assign a meaningful name and description.
Define the Condition:
Within the SCP's policy document, include the aws:CurrentTime condition key. Specify the desired time constraint using the DateEquals or DateLessThan operators. For example: JSON
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:RunInstances"
],
"Resource": "*",
"Condition": {
"DateLessThan": {
"aws:CurrentTime": "2024-12-31T23:59:59Z"
}
}
}
]
}
I don't think you can get desired effect using "Allow" in SCP. You typically first allow everything in SCP and then deny things you don't want to get allowed in IAM policies. This https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html explains policy evaluation logic.
Relevant content
- asked 2 years ago
- asked 9 months ago
yes, but does SCP supports this condition
"DateGreaterThan": {"aws:CurrentTime": <SOME-DATE>}is what i was trying to understand?