1 Answer
- Newest
- Most votes
- Most comments
1
Hello.
As you recognize, the guardrails at SCP are effective.
You can limit Lambda deletion by configuring SCP to allow only specific IAM users, groups, roles, and SSO permission sets.
For example, the following condition would allow only a specific set of SSO permissions to operate.
"Condition": {
"ArnNotLike": {
"aws:PrincipalArn": [
"arn:aws:iam::*:role/aws-reserved/sso.amazonaws.com/ap-northeast-1/AWSReservedSSO_Access permission set_*"
]
}
}
Relevant content
- Accepted Answerasked 2 years ago
- asked 9 months ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago