By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Can't update Landing Zone-managed SCPs with the bulk policy migrator scripts

0

The LZ solution deployed is already on the latest version 3.2. The SCPs managed by the Landing Zone solution appear to be very long already. The bulk policy migrator scripts (https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/migrate-iam-permissions.html) work by appending fine-grained permissions, so it returns the error below when the script attempts to update the policies.

An error occurred (ConstraintViolationException) when calling the UpdatePolicy operation: You have exceeded the maximum policy size.

Is there any official update from the Landing Zone solution that uses the new fine-grained actions as documented in https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/migrate-granularaccess-whatis.html?

Topics
Security, Identity, & Compliance
Tags
AWS Identity and Access Management
Language
English
PR
asked 8 months ago23 views
1 Answer
0

Hello !!! Unfortunately AWS documentation doesn’t specify an update for the Landing Zone solution regarding fine-grained actions. Try to manually optimize SCPs or contacting AWS Support... And back up policies and test changes in a non-production environment first. :)

profile picture
EXPERT
Giovanni Lauria
answered 6 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content