Closed EMCP closed 5 years ago
EMCP
commented
5 years ago I see now I should likely be using the IAM roles and enabled those needed features for a ROLE... where as org is about applying some blanket rules over an entire org.. I want to try and deny a lot of the fancy services from being spun up in the production org though..
carlasp
commented
5 years ago SCPs are necessary but not sufficient for granting access in the accounts in your organization. Attaching an SCP to the organization root or an organizational unit (OU) defines a guardrail for what actions accounts within the organization root or OU can do. You still need to attach IAM policies to users and roles in your organization's accounts to actually grant permissions to them. With an SCP attached to those accounts, identity-based and resource-based policies grant permissions to entities only if those policies and the SCP allow the action. If both a permissions boundary (an advanced IAM feature) and an SCP are present, then the boundary, the SCP, and the identity-based policy must all allow the action. For more information, see Policy Evaluation Logic in the IAM User Guide.
I will log your request for SCPs for small businesses. In the meantime, there are some new example SCPs in the docs here: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_example-scps.html
I am creating two OUs.. a personal one, and then one for a company.
I am logged in as my root account, trying to create a policy in which the "Production" OU can only use S3, EC2, Route53, and ElasticBeanstalk and LoadBalancer... yet whenever I try to get this through.. and submit, it states
"The provided policy document does not meet the requirements of the specified policy type."
It's unclear what I need to add to make this work
Am I just in the wrong place and this doesn't belong in SCP? What are some good SCPs for small startups or orgs? I'm thinking of requiring 2FA on everything at first?