By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Comprehensive Log of SCP Deny actions

0

Greetings,

Context We are in the process of building out our SCPs to fit our specific needs. One of the SCPs we are building is to only allow approved AWS Services.

We started with the list of necessary services, as defined in the example for SCP Regions (https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples_general.html#example-scp-deny-region) We took that baseline set of AWS Services and added the specific list of services we wanted to allow. Our list is built off the AWS Services that were in our AWS Cloudtrail log. Just to give you a frame of reference, that's about 90 (or so) allowed Services based on our footprint.

Question So far, the SCP seems to be working. However, I do not have a comprehensive way to validate based off CloudTrail Logs. As an example, some of the SQS message actions are not put into CloudTrail.

Is there a way to get a comprehensive log for a given SCP? In other words, a log of all SCP Denies that a particular SCP Policy is generating?

Topics
Management & Governance
Tags
AWS CloudTrailAmazon CloudWatch LogsService Control Policy
Language
English
rePost-User-ellicottcity
asked a year ago1008 views
1 Answer
0

One way to determine whether a service is used by an account is to examine the service last accessed data in IAM. Another way is to use AWS CloudTrail to log service usage at the API level. Reference : https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html#scp-warning-testing-effect

profile pictureAWS
EXPERT
AWS-User-Nitin
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content