Ends in
00
days
00
hrs
00
mins
00
secs
SHOP NOW

ALL AWS Specialty Practice Exams for only $17.99 $13.99 each!

Find answers, ask questions, and connect with our
community around the world.

Home Forums AWS AWS Certified Solutions Architect Professional Clarification on SCP Reply To: Clarification on SCP

  • Gerome-TutorialsDojo

    Member
    November 6, 2020 at 10:51 am

    Hello jithin,

    Thanks for the feedback.

    Based on the given scenario, the AWS resources in your production account is shared among various business units of the company. This means that the production account is using AWS Organizations to group accounts together to administer as a single unit.

    With resource-level permissions, you can specify which resources users are allowed to perform actions on. For example, you can grant users permissions to launch instances, but only of a specific type, and only using a specific AMI.

    https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policy-structure.html

    Take note that SCPs alone are not sufficient to granting permissions to the accounts in your organization. You must still attach identity-based or resource-based policies to IAM users or roles, or to the resources in your accounts to actually grant permissions. Also, SCPs only allow or deny the use of an AWS service, you don’t want to block OUs from completely using the EC2 service. The best solution here is to “Create an IAM Role in the production account which has a policy that allows access to the EC2 instances including a resource-level permission to terminate the instances owned by a particular business unit. Provide the cross-account access and the IAM policy to every member accounts of the OU.”

    https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html

    I hope this helps.

    Let us know if you need further assistance. The Tutorials Dojo team is dedicated to helping you pass your AWS exam on your first try!

    Regards,

    Gerome @ Tutorials Dojo