By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

SCP policy with negative condition

0

I am trying to understabd SCP Deny policy with NotAction and 2 negative condition.

    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "NotAction": [
                "budgets:*",
                "support:*",
                "waf:*"
            ],
            "Resource": "*",
            "Condition": {
                "StringNotEquals": {
                    "aws:RequestedRegion": [
                      "us-east-1"
                    ]
                },
                "ArnNotLike": {
                    "aws:PrincipalARN": [
                        "arn:aws:iam::*:role/abc",
                        "arn:aws:iam::*:role/cde"
                    ]
                }
            }
        }
    ]
}```
Topics
Management & Governance
Tags
Service Control Policy
Language
English
GB
asked 19 days ago62 views
1 Answer
2

This SCP (Service Control Policy) Deny policy is designed to restrict certain actions for IAM principals (users or roles) based on two negative conditions:

NotAction: Specifies the actions that are not allowed. In this case, the SCP denies all actions except those related to budgets, support, and WAF (Web Application Firewall).

Condition: Contains two conditions that must not be met for the policy to take effect:

StringNotEquals: Checks if the requested AWS region is not "us-east-1". This means that the policy allows actions only if they are requested in the "us-east-1" region.

ArnNotLike: Checks if the IAM principal's ARN (Amazon Resource Name) is not like the specified patterns. It uses wildcard patterns to match ARNs of IAM roles named "abc" or "cde" in any AWS account.

In summary, this SCP Deny policy allows actions related to budgets, support, and WAF, only if they are requested in the "us-east-1" region and if the IAM principal's ARN does not match the patterns specified for roles named "abc" or "cde". For all other actions, the policy denies access regardless of the requested region or IAM principal.

This might help too :- https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_syntax.html

profile picture
EXPERT
Adeleke Adebowale J
answered 19 days ago
profile picture
EXPERT
Oleksii Bebych
reviewed 19 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content