'AWS : SCP allow specific service for a specific OU
Here it says, https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_strategies.html
"For a permission to be enabled for a specified account, every SCP from the root through each OU in the direct path to the account, and even attached to the account itself, must allow that permission."
I wanted to allow a service only at a specific OU. But this doc says for that I should start allowing that service from root itself. In that case, it will affect all other OUs, right?
amazon-web-servicesSolution 1:[1]
It will not affect all OUs because SCPs on all levels must allow it.
Let's assume you have the following hierarchy:
root -- OU1 -- OU11
\ \
\ - OU12
\
- OU2 -- OU21
\
- OU22
If you want to allow OU21 to write S3 buckets, then you add this permission to OU21. In addition you need to add this permission to the nodes above (OU2, root).
The point here is that OU22, OU11, OU12 are now allowed to write S3 buckets because the SCP of OU22, OU11, OU12 is denying it.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | Martin Garbe |