0

I would like to allow users in all accounts in my AWS Organization (under a number of different OUs) to access only a few AWS services: RDS, EC2, S3, etc. In other words, I need to prevent access to anything else. I was thinking about using SCP but denying access to so many services seems to be a bad idea (the FullAWSAccess service control policy is attached by default). I would like to ask if you have ever done something like that and if you have, how?

Tim
  • 30,383
  • 6
  • 47
  • 77
Jacek
  • 43
  • 1
  • 4

1 Answers1

1

SCP is the way to go.

You can deny everything with a whitelist condition.

Please bear in mind that you need to reduce the scope of your SCP, otherwise you end up disabling AWS service roles to perform standard operations, e.g. if you use CloudFormation stacks.

Therefore, you should apply this SCP only to the roles used by your users and services.

Tip: use one role for implementing the SCP and one role to test it. Start small and progress in small steps. Otherwise you might exclude yourself from any service in the AWS console.

Erik Norman
  • 86
  • 3
  • 1
    Definitely SCP. A few more thoughts based on my experience using SCP for a while. Test with one Sandbox OU, with specific roles. Note that the master account cannot have SCPs restricted. SCPs can be really fiddly, they're a union of the permissions of all the OUs and the account. When permissions don't work as expected I always look at SCP first, then IAM. Work from example SCPs, start small. – Tim Nov 02 '21 at 17:25
  • Thank you. I have used "Deny" with "NotAction" and listed allowed services, added condition excluding one user. Testing in dev env now, looks good so far. – Jacek Nov 03 '21 at 08:05