1 Answer
- Newest
- Most votes
- Most comments
1
If the only SCP you have enabled is to disable root for member accounts then no non-root functionality inside the account should stop working. Joining an Organization is also a two way door. You can remove the account from the Organization if there are unintended issues. Is the SCP at the root level of the Org or at each OU? One best practice is to have a transitional OU with limited controls for bringing in new accounts. Once the account is in the Org without issues and everything is working, you can move it to its permanent OU with the SCP(s) in place.
answered a year ago
Relevant content
- Accepted Answerasked 2 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 7 months ago
Thanks for posting! The SCP is applied at the individual OUs and not at the root. This was on purpose so that when the account joins, it will initially join without the SCP taking effect. The plan is to move the account into the OU once it has joined without issues. I like the idea of a transitional OU, can you invite an account into an initial OU? So far I've only seen them join the root.
You are correct. However that should not be a concern since root SCPs are inherited regardless. Once the account is added just move it to the Transitional OU. This way any additional OU level policies for standard accounts won't apply to the new account until you are ready.