Ends in
00
days
00
hrs
00
mins
00
secs
SHOP NOW

$2 OFF in ALL Azure Practice Exams & NEW AZ-500 Microsoft Azure Security Engineer Associate Practice Exams at $10.99!

Find answers, ask questions, and connect with our
community around the world.

Home Forums AWS AWS Certified Solutions Architect Professional Clarification on SCP

  • Clarification on SCP

     Gerome-TutorialsDojo updated 3 years, 5 months ago 2 Members · 2 Posts
    AWS Certified Solutions Architect Professional

  • jithin

    Member
    November 5, 2020 at 4:05 pm

    Team

    The below question states that SCP is not correct solution here. Can you explain?

    The AWS resources in your production account is shared among various business units of the company. A single business unit may have one or more AWS accounts which have resources in the production account. There were a lot of incidents in which the developers from a specific business unit accidentally terminated the EC2 instances owned by another business unit. You are tasked to come up with a solution to only allow a specific business unit who own the EC2 instances, and other AWS resources, to terminate their own resources.

    Correct answer:

    Use AWS Organizations to centrally manage all of your accounts. Group your accounts, which belong to a specific business unit, to individual Organization Units (OU). Create an IAM Role in the production account which has a policy that allows access to the EC2 instances including a resource-level permission to terminate the instances owned by a particular business unit. Provide the cross-account access and the IAM policy to every member accounts of the OU.

    The following options are incorrect because an SCP policy simply specifies the services and actions that users and roles can use in the accounts:

    Use AWS Organizations to centrally manage all of your accounts. Group your accounts, which belongs to a specific business unit, to individual Organization Unit (OU). Create a Service Control Policy in the production account for each business unit which has a policy that allows access to the EC2 instances including a resource-level permission to terminate the instances that it owns. Provide the cross-account access and the SCP to the individual member accounts to tightly control who can terminate the EC2 instances.

    Use AWS Organizations to centrally manage all of your accounts. Group your accounts, which belongs to a specific business unit, to individual Organization Unit (OU). Create a Service Control Policy in the production account which has a policy that allows access to the EC2 instances including a resource-level permission to terminate the instances owned by a particular business unit. Provide the cross-account access and the SCP to the OUs, which will then be automatically inherited by its member accounts.

    But can’t we create SCP like below replacing root with the specific accounts? :

    {

    “Version”: “2012-10-17”,

    “Statement”: [

    {

    “Sid”: “DenyStopAndTerminateWhenMFAIsNotPresent”,

    “Effect”: “Deny”,

    “Action”: [

    “ec2:StopInstances”,

    “ec2:TerminateInstances”

    ],

    “Resource”: “*”,

    “Condition”: {“BoolIfExists”: {“aws:MultiFactorAuthPresent”: false}}

    }

    ]

    }

  • Gerome-TutorialsDojo

    Member
    November 6, 2020 at 10:51 am

    Hello jithin,

    Thanks for the feedback.

    Based on the given scenario, the AWS resources in your production account is shared among various business units of the company. This means that the production account is using AWS Organizations to group accounts together to administer as a single unit.

    With resource-level permissions, you can specify which resources users are allowed to perform actions on. For example, you can grant users permissions to launch instances, but only of a specific type, and only using a specific AMI.

    https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policy-structure.html

    Take note that SCPs alone are not sufficient to granting permissions to the accounts in your organization. You must still attach identity-based or resource-based policies to IAM users or roles, or to the resources in your accounts to actually grant permissions. Also, SCPs only allow or deny the use of an AWS service, you don’t want to block OUs from completely using the EC2 service. The best solution here is to “Create an IAM Role in the production account which has a policy that allows access to the EC2 instances including a resource-level permission to terminate the instances owned by a particular business unit. Provide the cross-account access and the IAM policy to every member accounts of the OU.”

    https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html

    I hope this helps.

    Let us know if you need further assistance. The Tutorials Dojo team is dedicated to helping you pass your AWS exam on your first try!

    Regards,

    Gerome @ Tutorials Dojo

Viewing 1 - 2 of 2 replies

Log in to reply.

Original Post
0 of 0 posts June 2018
Now