search

awsdocs / aws-organizations-docs

The open source version of the AWS Organizations documentation. We welcome and encourage your feedback. You can submit feedback and requests for changes by submitting issues in this repo or by making proposed changes and submitting a pull request.
Other
47 stars 71 forks source link

Updating example CloudTrail SCP to also prevent deleting a trail. #10

Closed richadams closed 5 years ago

richadams commented 5 years ago

Issue #, if available: N/A

Description of changes: The Service Control Policy (SCP) example for CloudTrail is meant to prevent users from disabling CloudTrail on an account. While it does prevent users from executing StopLogging on a trail, users are still able to outright delete a trail using the DeleteTrail action. Which has the same outcome of disabling CloudTrail.

This change updates the example SCP to also deny the DeleteTrail action so that CloudTrail is more comprehensively protected from being disabled or deleted.

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

carlasp commented 5 years ago

Thank you for your contribution! I am looking into this.

carlasp commented 5 years ago

We appreciate your contribution but after checking with the affected teams, we're going to leave the example SCP as is. The example SCP is correct as is. Thank you!