Can I use SSM parameter in the SCP policy

0

Hi Team, trying to get this work but seems like we can not fetch parameter ( stored in SSM parameter store) from within a SCP policy. I was trying this below policy but seems like this is not effecting as it supposed to be. Any help on this please ? With this policy I would like to restrict vpc creation and cidr association only within the given/allowed ipam pol id.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "ec2:CreateVpc", "ec2:AssociateVpcCidrBlock" ], "Resource": "arn:aws:ec2:*:*:vpc/*", "Condition": { "StringNotEquals": { "ec2:Ipv4IpamPoolId": [ "{{resolve:ssm:/test/workload-ipam-pool-id}}", "{{resolve:ssm:/test/transit-gateway-ipam-pool-id}}" ] } } } ]

2 Answers
1
Accepted Answer

I don't think this is supported as SSM Parameter Store only supports a number of AWS services which currently doesn't include SCP.

profile pictureAWS
EXPERT
answered 2 months ago
profile picture
EXPERT
reviewed 2 months ago
profile picture
EXPERT
reviewed 2 months ago
0

As commented by the colleague, this scenario is not supported by Service Control Policies. But, what you can do is to deploy the SCP using Automation tools (like CloudFormation or Terraform) and from those tools get the configuration from Parameter Store and build the final SCP. You can also trigger changes, when someone changes that configuration and update the deployed SCP using your pipeline. That's the way to get to do what you are looking for.

Best,

profile pictureAWS
answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions