Closed richadams closed 5 years ago
Thank you for your contribution! I am looking into this.
We appreciate your contribution but after checking with the affected teams, we're going to leave the example SCP as is. The example SCP is correct as is. Thank you!
Issue #, if available: N/A
Description of changes: The Service Control Policy (SCP) example for CloudTrail is meant to prevent users from disabling CloudTrail on an account. While it does prevent users from executing
StopLogging
on a trail, users are still able to outright delete a trail using theDeleteTrail
action. Which has the same outcome of disabling CloudTrail.This change updates the example SCP to also deny the
DeleteTrail
action so that CloudTrail is more comprehensively protected from being disabled or deleted.By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.