Can I use SSM parameter in the SCP policy

Question

Hi Team, trying to get this work but seems like we can not fetch parameter ( stored in SSM parameter store) from within a SCP policy. I was trying this below policy but seems like this is not effecting as it supposed to be. Any help on this please ?
With this policy I would like to restrict vpc creation and cidr association only within the given/allowed ipam pol id. 
====================
`
{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Deny",
			"Action": [
				"ec2:CreateVpc",
				"ec2:AssociateVpcCidrBlock"
			],
			"Resource": "arn:aws:ec2:*:*:vpc/*",
			"Condition": {
				"StringNotEquals": {
					"ec2:Ipv4IpamPoolId": [
						"{{resolve:ssm:/test/workload-ipam-pool-id}}",
						"{{resolve:ssm:/test/transit-gateway-ipam-pool-id}}"
					]
				}
			}
		}
	]
`

Accepted Answer

I don't think this is supported as SSM Parameter Store only supports a number of AWS services which currently doesn't include SCP.

Answer

As commented by the colleague, this scenario is not supported by Service Control Policies. But, what you can do is to deploy the SCP using Automation tools (like CloudFormation or Terraform) and from those tools get the configuration from Parameter Store and build the final SCP. You can also trigger changes, when someone changes that configuration and update the deployed SCP using your pipeline. That's the way to get to do what you are looking for.

Best,

Can I use SSM parameter in the SCP policy

相關內容