1 Answer
- Newest
- Most votes
- Most comments
1
That wont work because a Deny statement always wins and in your case you deny all actions outside the specified regions including actions related to AWS Config service.
How about you change your original Deny statement to match on all actions except AWS Config related actions by using the NotAction
key.
Like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyOtherRegions",
"Effect": "Deny",
"NotAction": "config:*",
"Resource": "*",
"Condition": {
"StringNotEquals": {
"aws:RequestedRegion": [
"us-east-1",
"us-east-2",
"us-west-1",
"us-west-2"
]
}
}
}
]
}
Be sure to thoroughly test this before you use it on production environment.
I also suggest you take a look at the Deny region SCP that Control Tower uses. You'll notice that there are multiple actions that are excluded from the regions being denied (among them config:*
).
Relevant content
- asked 2 years ago
- asked 2 months ago
- asked a month ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 4 years ago
- AWS OFFICIALUpdated a year ago
Hi Yaniv Rozenboim, first of all thanks for answering the question. These are the two requirements I have to achieve via SCP:
This is exactly what I provided you with the policy I shared: Deny all actions except config:* in all regions except US. As long as you keep the default policy
FullAWSAccess
assigned to the root of the organization you will get exactly what you wanted.