- 新しい順
- 投票が多い順
- コメントが多い順
When you create AWS organization, by default FullAWSAccess SCP gets created and attached to all accounts in an organization and this can not be edited but can be detached from any of the member accounts. This can only be detached if there is one other SCP already attached to that account.
Here is the content of that default SCP FullAWSAccess:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
Any action that isn't explicitly allowed by an SCP is implicitly denied and can't be delegated to users or roles in the affected accounts.
Reference: AWS SCP Inheritance
SCP doesn't grant anything but it's a guardrail, which is used to allow everything(Doesn't grant) and then deny specific resources/services based on condition.
Refer SCP permissions effect for additional details.
If you haven't already gone through this Policy Evaluation Logic doc and Permissions Chart, which you'd find super helpful to see how does this evaluation work.
Hope you find this useful.
Abhishek
This chart explains how these policies are evaluated, Determining whether a request is allowed or denied within an account.
関連するコンテンツ
- AWS公式更新しました 8ヶ月前
Do you have any additional question, please feel free to comment. Happy to help.