Fundamental Error in Question on SCP Allow Inheritance

[PeterMescher]

“A multinational bank has recently set up AWS Organizations to manage its several AWS accounts from their various business units. The Senior Solutions Architect attached the SCP below to an Organizational Unit (OU) to define the services that its member accounts can use:
{
“Version”:”2012-10-17″,
“Statement”:[
{
“Effect”:”Allow”,
“Action”:[“EC2:*”,”S3:*”],
“Resource”:”*”
}
]
}
In one of the member accounts under that OU, an IAM user tried to create a new S3 bucket but was getting a permission denied error.

An “incorrect” answer is: “All accounts within the OU does not automatically inherit the policy attached to them. You still have to manually attach the SCP to the individual AWS accounts of the OU.” is incorrect because an SCP attached to an OU is automatically inherited by all accounts within that same OU.

This answer option is, in fact, a correct (and frankly, the most-likely) one. Only deny statements are inherited. Allow statements must be explicit at every level of the OU.

For a permission to be allowed for a specific account, there must be an explicit Allow statementAllow statement at every level from the root through each OU in the direct path to the account (including the target account itself).

So, attaching the SCP to the OU itself is insufficient.

• This discussion was modified 1 month, 1 week ago by  PeterMescher.