Service Control Policy for restricting certain write actions to specific regions only
We would like to control which services are available for use in which accounts and regions while still being able to review everything:
- Allow ReadOnly across all services in all regions
- Allow Write on specified services in certain regions
We are aware of the general policy to restrict actions not in specific regions but this is too restrictive and results in unnecessary confusion when users experience permission errors on various service dashboards.
Thus far we have been unable to construct an SCP, or combination of SCPs, that provide the intended effect given the attachment and size limits.
Is what we are looking for even possible with Service Control Policies alone?
We would like to avoid:
- Managing this via User/Role Permissions
- Having "Bypass" Roles as shown in the documented example above.
No, you cannot do this via SCPs alone. SCPs don't grant any actions, only allow that certain actions can be granted by identity policies, so you will have to have some identity policies involved.
Another problem you will run in to is that an explicit deny anywhere in the policy evaluation logic will result in the action being denied, even if it is also allowed. This means that if you want any principals in an account to have an action (e.g. write to a specific region), then the SCPs must allow it.
Unless you scope your regions to specific accounts or OUs, you cannot implement what you want with SCPs.
Relevant questions
Service quotas in eu regions
asked a year agoPlans for more allowing more than 2 other regions for secondary clusters in Elasticache for Redis Global Datastore?
asked 5 months agoDesigning for failures in the control plane
asked 6 months agoSageMaker AutoPilot Regions
Accepted Answerasked 2 years agoRegions for Rekognition Video Streaming
asked 7 days agoService Control Policy for restricting certain write actions to specific regions only
asked 2 months agoControl Tower dependency to other regions?
Accepted Answerasked 2 years ago[EC2.10] Service endpoint for Amazon EC2 needs to be created for each VPC.
Accepted Answerasked 4 months agoPros and cons of restricting user access to certain regions
Accepted Answerasked 6 months agoAWS Organizations - Control Access To All Accounts By ISO3166 Region
asked 18 days ago