Home › Forums › AWS › AWS Certified Solutions Architect Professional › Clarification on Organization Complexity Question
-
Clarification on Organization Complexity Question
Gerome-TutorialsDojo updated 3 years, 11 months ago 2 Members · 2 Posts -
Team
The below question states that SCP is not correct solution here. Can you explain?
The AWS resources in your production account is shared among various business units of the company. A single business unit may have one or more AWS accounts which have resources in the production account. There were a lot of incidents in which the developers from a specific business unit accidentally terminated the EC2 instances owned by another business unit. You are tasked to come up with a solution to only allow a specific business unit who own the EC2 instances, and other AWS resources, to terminate their own resources.
Correct answer:
Use AWS Organizations to centrally manage all of your accounts. Group your accounts, which belong to a specific business unit, to individual Organization Units (OU). Create an IAM Role in the production account which has a policy that allows access to the EC2 instances including a resource-level permission to terminate the instances owned by a particular business unit. Provide the cross-account access and the IAM policy to every member accounts of the OU.
The following options are incorrect because an SCP policy simply specifies the services and actions that users and roles can use in the accounts:
Use AWS Organizations to centrally manage all of your accounts. Group your accounts, which belongs to a specific business unit, to individual Organization Unit (OU). Create a Service Control Policy in the production account for each business unit which has a policy that allows access to the EC2 instances including a resource-level permission to terminate the instances that it owns. Provide the cross-account access and the SCP to the individual member accounts to tightly control who can terminate the EC2 instances.
Use AWS Organizations to centrally manage all of your accounts. Group your accounts, which belongs to a specific business unit, to individual Organization Unit (OU). Create a Service Control Policy in the production account which has a policy that allows access to the EC2 instances including a resource-level permission to terminate the instances owned by a particular business unit. Provide the cross-account access and the SCP to the OUs, which will then be automatically inherited by its member accounts.
But can’t we create SCP like below replacing root with the specific accounts? :
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Sid”: “DenyStopAndTerminateWhenMFAIsNotPresent”,
“Effect”: “Deny”,
“Action”: [
“ec2:StopInstances”,
“ec2:TerminateInstances”
],
“Resource”: “*”,
“Condition”: {“BoolIfExists”: {“aws:MultiFactorAuthPresent”: false}}
}
]
}
-
Hello jithin,
Thanks for the feedback.
Please refrain from posting duplicate questions.
Regards,
Gerome @ Tutorials Dojo
Log in to reply.