AWS Organizations - How to globally set boundaries to allow assess only to predefined set of services?

Jacek

3/2/23, 12:35 PM

I would like to allow users in all accounts in my AWS Organization (under a number of different OUs) to access only a few AWS services: RDS, EC2, S3, etc. In other words, I need to prevent access to anything else. I was thinking about using SCP but denying access to so many services seems to be a bad idea (the FullAWSAccess service control policy is attached by default). I would like to ask if you have ever done something like that and if you have, how?

0 + 0

amazon-web-services

aws-organizations

Score:1

Server

Erik Norman

3/2/23, 12:55 PM

SCP is the way to go.

You can deny everything with a whitelist condition.

Please bear in mind that you need to reduce the scope of your SCP, otherwise you end up disabling AWS service roles to perform standard operations, e.g. if you use CloudFormation stacks.

Therefore, you should apply this SCP only to the roles used by your users and services.

Tip: use one role for implementing the SCP and one role to test it. Start small and progress in small steps. Otherwise you might exclude yourself from any service in the AWS console.

0 + 0

Tim

3/2/23, 5:25 PM

Definitely SCP. A few more thoughts based on my experience using SCP for a while. Test with one Sandbox OU, with specific roles. Note that the master account cannot have SCPs restricted. SCPs can be really fiddly, they're a union of the permissions of all the OUs and the account. When permissions don't work as expected I always look at SCP first, then IAM. Work from example SCPs, start small.

Jacek

3/3/23, 8:05 AM

Thank you. I have used "Deny" with "NotAction" and listed allowed services, added condition excluding one user. Testing in dev env now, looks good so far.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: AWS Organizations - How to globally set boundaries to allow assess only to predefined set of services?

TH: องค์กร AWS - จะกำหนดขอบเขตทั่วโลกเพื่ออนุญาตให้ประเมินเฉพาะชุดบริการที่กำหนดไว้ล่วงหน้าได้อย่างไร

RO: Organizații AWS - Cum se stabilesc limite la nivel global pentru a permite evaluarea numai pentru un set predefinit de servicii?

RU: Организации AWS. Как глобально установить границы, чтобы разрешить оценку только предопределенного набора сервисов?

VI: Tổ chức AWS - Làm cách nào để thiết lập ranh giới trên toàn cầu để chỉ cho phép đánh giá đối với nhóm dịch vụ được xác định trước?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.