-
Based on your logic, we should be able to create the bucket because the account is already inheriting the FullAWSAccess SCP from Root and Sandbox OU. However, the account itself does not have the FullAWSAccess SCP attached. So going back to the documentation:
For a permission to be allowed for a specific
account, there must be an explicit allow statement at every level from the root through each OU in the direct path
to the account (including the target account itself).The question does not explicitly say anything about the SCPs attached to the account level. So we can’t rule out misconfigured SCP as a potential issue.
-
This reply was modified 1 month, 2 weeks ago by
Jayid.
-
This reply was modified 1 month, 2 weeks ago by
