Service Control Policy for restricting certain write actions to specific regions only
We would like to control which services are available for use in which accounts and regions while still being able to review everything:
- Allow ReadOnly across all services in all regions
- Allow Write on specified services in certain regions
We are aware of the general policy to restrict actions not in specific regions but this is too restrictive and results in unnecessary confusion when users experience permission errors on various service dashboards.
Thus far we have been unable to construct an SCP, or combination of SCPs, that provide the intended effect given the attachment and size limits.
Is what we are looking for even possible with Service Control Policies alone?
We would like to avoid:
- Managing this via User/Role Permissions
- Having "Bypass" Roles as shown in the documented example above.
No, you cannot do this via SCPs alone. SCPs don't grant any actions, only allow that certain actions can be granted by identity policies, so you will have to have some identity policies involved.
Another problem you will run in to is that an explicit deny anywhere in the policy evaluation logic will result in the action being denied, even if it is also allowed. This means that if you want any principals in an account to have an action (e.g. write to a specific region), then the SCPs must allow it.
Unless you scope your regions to specific accounts or OUs, you cannot implement what you want with SCPs.
Service quotas in eu regionsasked a year ago
Plans for more allowing more than 2 other regions for secondary clusters in Elasticache for Redis Global Datastore?asked 5 months ago
Designing for failures in the control planeasked 6 months ago
SageMaker AutoPilot RegionsAccepted Answerasked 2 years ago
Regions for Rekognition Video Streamingasked 7 days ago
Service Control Policy for restricting certain write actions to specific regions onlyasked 2 months ago
Control Tower dependency to other regions?Accepted Answerasked 2 years ago
[EC2.10] Service endpoint for Amazon EC2 needs to be created for each VPC.Accepted Answerasked 4 months ago
Pros and cons of restricting user access to certain regionsAccepted Answerasked 6 months ago
AWS Organizations - Control Access To All Accounts By ISO3166 Regionasked 18 days ago