Modify SCP to enable AWS Config in restricted AWS regions

0

Hi AWS, I have created an SCP to explicitly deny use of AWS services other than 4 approved AWS regions, i.e. us-east-1, us-east-2, us-west-1 and us-west-2. Here is the SCP code:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DenyOtherRegions",
            "Effect": "Deny",
            "Action": "*",
            "Resource": "*",
            "Condition": {
                "StringNotEquals": {
                    "aws:RequestedRegion": [
                        "us-east-1",
                        "us-east-2",
                        "us-west-1",
                        "us-west-2"
                    ]
                }
            }
        }
    ]
}

Now we're planning to enable only AWS config in the non-approved/restricted regions and I have tweaked the original SCP like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowAllActionsInUSRegions",
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:RequestedRegion": [
                        "us-east-1",
                        "us-east-2",
                        "us-west-1",
                        "us-west-2"
                    ]
                }
            }
        },
        {
            "Sid": "DenyAllActionsOutsideUSRegions",
            "Effect": "Deny",
            "Action": "*",
            "Resource": "*",
            "Condition": {
                "StringNotEquals": {
                    "aws:RequestedRegion": [
                        "us-east-1",
                        "us-east-2",
                        "us-west-1",
                        "us-west-2"
                    ]
                }
            }
        },
        {
            "Sid": "AWSAllConfigGlobally",
            "Effect": "Allow",
            "Action": [
                "config:*"
            ],
            "Resource": "*"
        }
    ]
}

Do you think the modified SCP would fulfill the requirement to enable AWS config in all regions or is there something that needs to be identified and fixed. Please advise.

1 Answer
1

That wont work because a Deny statement always wins and in your case you deny all actions outside the specified regions including actions related to AWS Config service.

How about you change your original Deny statement to match on all actions except AWS Config related actions by using the NotAction key. Like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DenyOtherRegions",
            "Effect": "Deny",
            "NotAction": "config:*",
            "Resource": "*",
            "Condition": {
                "StringNotEquals": {
                    "aws:RequestedRegion": [
                        "us-east-1",
                        "us-east-2",
                        "us-west-1",
                        "us-west-2"
                    ]
                }
            }
        }
    ]
}

Be sure to thoroughly test this before you use it on production environment.

I also suggest you take a look at the Deny region SCP that Control Tower uses. You'll notice that there are multiple actions that are excluded from the regions being denied (among them config:*).

profile pictureAWS
EXPERT
answered 2 months ago
  • Hi Yaniv Rozenboim, first of all thanks for answering the question. These are the two requirements I have to achieve via SCP:

    1. Allow all services in the US regions.
    2. Block all services except AWS Config in US and other unapproved regions.
  • This is exactly what I provided you with the policy I shared: Deny all actions except config:* in all regions except US. As long as you keep the default policy FullAWSAccess assigned to the root of the organization you will get exactly what you wanted.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions