- Neueste
- Die meisten Stimmen
- Die meisten Kommentare
Hi, The policy you used gives users with the same division type access to start the instances. this however doesn't imply that only they can do the actions. Therefore, assuming your user still has ec2:StartInstances or ec2:* to resources:*, you won't be revoked of that access.
Since it is evident that you are using AWS Organizations, I recommend using Custom Service Control Policies instead.
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html
Hi Gab, thanks for your reply!
I had used a test account that had no other permissions. The account was unable to start/stop instances first, and it worked after the Division had been set accordingly. But it keeped working after I changed the Division back, for quite some time, until eventually it stopped. Weird, but in the end, no big problem.
Whoops, and after a month I come back and find this draft stil unsent - sorry. Yeah, I had opened a browser tab to check out the Service control policies stuff, and never got around to it, until now. Interesting stuff, actually! Another layer of control, that's cool. Not sure yet how to apply it in my case. They deny access to ressources, but if I set such a rule via SCP that denies if the Division does not match, ow would I make exceptions? But that's getting outside of this questions's scope I guess, I'll just keep on reading on that stuff.
Relevanter Inhalt
- AWS OFFICIALAktualisiert vor einem Jahr
- AWS OFFICIALAktualisiert vor einem Jahr
- AWS OFFICIALAktualisiert vor 2 Jahren