- 最新
- 最多得票
- 最多評論
First lets look at difference between detective and preventive guardrails. The documentation located here gives a very good description and understanding of the two.
Detective guardrails (ex. AWS Config Rules) wont prevent an action from happening, its only going to let you know its out of compliance.
Preventive guardrails are implemented with Service Control Policies or IAM Policies. These will deny an action from happening. For example, if you wanted to prevent someone from creating an unencrypted volume, or creating n EC2 instance with an unencrypted colume, you can attach an SCP to the OU like this:
{
"Effect": "Deny",
"Action": "ec2:CreateVolume",
"Resource": "*",
"Condition": {
"Bool": {
"ec2:Encrypted": "false"
}
}
},
{
"Sid": "PreventEc2MountUnencryptedVolume",
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:*:*:volume/*",
"Condition": {
"Bool": {
"ec2:Encrypted": "false"
}
}
}
You can see other examples of SCPs here:
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples.html
And some more info about how SCPs work, and best practices for using them
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html
To answer your question
If this is implemented while some are out of compliance will it cause issues with the function\use of these EBS drives? The answer is, it depends. If you have an EC2 instance running with an unencrypted EBS volume, it will continue to run uninterrupted. But lets say you applied the above SCP to your OU, and you had an EC2 auto scaling group with a launch configuration that creates instances with unencrypted volumes. The SCP will deny new EC2 instances from being created and auto-scaling will not function. So you can see, its very important to test preventive guardrails thoroughly to fully understand the downstream effects.
相關內容
- 已提問 1 年前
- AWS 官方已更新 1 年前
- AWS 官方已更新 7 個月前
- AWS 官方已更新 1 年前