Track issue in the SCP

0

Hi AWS, I am writing an SCP to enable AWS Config and AWS GuardDuty. The approved regions are us-east-1, us-east-2, us-west-1. Here is the SCP code:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "guardduty:*",
                "config:*"
            ],
            "Resource": "*",
            "Effect": "Deny",
            "Condition": {
                "StringNotEquals": {
                    "aws:RequestedRegion": [
                        "us-east-1",
                        "us-east-2",
                        "us-west-1",
                        "us-west-2"
                    ]
                }
            }
    }
    ]
}

But during testing, I tried to enable both AWS Config and GuardDuty in one of the non-approved regions (for e.g. ap-south-1) and I was able to enable it.

Can you please help me in identifying why it is happening?

2 Answers
1

Can you check if your SCP is attached to target account where you are testing and trying to enable it from non-approved region.

Your policy looks correct, I tested it and it works fine as expected:

Enter image description here

Then I try to enable config in Mumbai and N. Virginia and see the results:

Mumbai: Denied

Enter image description here

N. Virginia: Allowed

Enter image description here

profile pictureAWS
EXPERT
answered a month ago
  • yes, it is @secondabhi_aws

  • Your policy doesn't have any problem, I just tested it and it works as expected. Just select your SCP from Organizations console and see the targets, make sure the account where you are trying is added as target.

  • Were you able to find out the problem?

1

https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html

Maybe you are testing it on the Management (Master) account ?

You can't use SCPs to restrict the following tasks:
Any action performed by the management account
profile picture
EXPERT
answered a month ago
profile picture
EXPERT
Artem
reviewed a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions