Ends in
00
days
00
hrs
00
mins
00
secs
SHOP NOW

Get $4 OFF in AWS Solutions Architect & Data Engineer Associate Practice Exams for $10.99 each ONLY!

Find answers, ask questions, and connect with our
community around the world.

Home Forums AWS AWS Certified Solutions Architect Professional SCPs and IAM policies for tags

Tagged: , ,

  • SCPs and IAM policies for tags

     JR-TutorialsDojo updated 1 month, 2 weeks ago 2 Members · 6 Posts
    AWS Certified Solutions Architect Professional

  • juano1985

    Member
    March 5, 2024 at 2:54 am

    Hi Jon,

    Why do we still need an IAM policy in each AWS account if we have an SCP that will restrict the ec2:RunInstances for all accounts if they don’t create it with the required tag? Shouldn’t an SCP be sufficient in this case?

    Thanks!

    scpsvsiam

  • JR-TutorialsDojo

    Administrator
    March 7, 2024 at 1:54 pm

    Hi juano1985,

    Thanks for your feedback.

    IAM policies and SCPs serve different purposes but can complement each other for enhanced security and management in AWS.

    • IAM Policy: An IAM policy is more granular and applies to users, groups, and roles within a specific AWS account. It allows or denies permissions to specific AWS services and resources and provides fine-grained control within an AWS account.

    • Service Control Policies (SCPs): An SCP is used at the organization level to set permission boundaries for all AWS accounts within the organization. It’s a way to centrally control the maximum available permissions for all accounts in your organization.

    Having both allows for layered security – SCPs ensure organization-wide compliance with certain restrictions, while IAM policies provide detailed permissions within each account. So, even if an SCP restricts the ec2:RunInstances action across all accounts, having an IAM policy in each AWS account provides an additional layer of security by ensuring that the required tags are added at the account level. This way, even if the SCP were to be modified or removed, the IAM policy would still enforce the tagging requirement. Therefore, using SCPs and IAM policies together provides a more robust and flexible security configuration.

    Please refer to this: https://tutorialsdojo.com/service-control-policies-scp-vs-iam-policies/

    I hope this helps! Let me know if you have any further questions.

    Best Regards.

  • juano1985

    Member
    March 11, 2024 at 12:14 am

    Hi,

    Thanks for your reply. I didn’t think about the possibility of the SCP being removed in the near future in this scenario, if that were to happen, then yes everyone would be able to launch instances without the tags again. Although I agree that using both is more secure, it certainly entails a lot overhead to create an IAM policy in each AWS account when you can do this centrally with SCP, which is the whole purpose in the first place to not need to get in every AWS account and do this one by one. I guess my question is more to know if you just were to have this SCP applied, will it restrict people from running ec2 instances without the tags or not? If the SCP is there, do we still need to have IAM policies in place for the restriction to be in place? Or is this just because it’s a best practice to have both, so it will be more secure?

    Thanks!

    Juan

    • JR-TutorialsDojo

      Administrator
      March 11, 2024 at 12:49 pm

      Hi juano1985,

      You’re correct that managing IAM policies in each AWS account can be a bit of an overhead. However, the purpose of having both SCPs and IAM policies is to provide layered security.

      To answer your question, yes, an SCP alone can restrict people from running EC2 instances without the required tags. If the SCP is in place and properly configured, it will enforce the restrictions as defined.

      However, the reason for also having IAM policies is to provide an additional layer of security at the account level. This is particularly useful in scenarios where the SCP might be modified or removed. With an IAM policy in place, the tagging requirement would still be enforced even if the SCP were removed.

      I hope this clarifies your question.

      Best Regards,
      JR @ Tutorials Dojo

      • juano1985

        Member
        March 11, 2024 at 10:45 pm

        Hi!

        Thanks for the reply. Your explanation is very clear and I understood now much better. I would like to take the chance to congratulate you and thank you for this awesome site. I used tutorialsdojo to pass my AWS Solutions Architect Associate exam about two years ago and thanks to these practice tests I can say I was able to learn a lot and get in great shape to pass. Now I’m preparing the professional certification which is very challenging :-), but as I dive deeper into these tests I am gaining a huge amount of knowledge and reaffirming concepts. Thanks for this and keep up the awesome work!

        Best,

        Juan

        • JR-TutorialsDojo

          Administrator
          March 12, 2024 at 12:08 pm

          Hello Juan,

          Thank you so much for your kind words! It’s always a pleasure to hear from our users, and I’m thrilled to hear that our site has been helpful in your journey. Congratulations on passing your AWS Solutions Architect Associate exam. That’s a fantastic achievement!

          I’m glad to hear that you’re finding our practice tests useful as you prepare for your professional certification. It’s definitely a challenging step up, but it sounds like you’re approaching it with the right attitude and dedication.

          Remember, the key to success is consistency and understanding the concepts thoroughly. Don’t hesitate to reach out if you have any questions or need further clarification on any topics. We’re here to help.

          Thank you again for your feedback, and best of luck with your studies and upcoming exam.

          Cheers,
          JR @ Tutotorials Dojo

Viewing 1 - 3 of 3 replies

Log in to reply.

Original Post
0 of 0 posts June 2018
Now