Service Control Policies + AWS Organizations

Imagine you have 5 AWS accounts. And you want to restrict 2 of those accounts from using an AWS service. How will you do that?

This can be achieved through service control policies and AWS organisations.

Create an organisational unit (OU) with those 2 accounts and then restrict access to that OU.

This service control policies control the use of AWS services across multiple accounts.

The IAM policies can be applied only to users, roles and groups. But not to accounts. Whereas SCPs can be applied to accounts or group of accounts.

Comments

AWS Route53 - Private Hosted Zone

AWS - Error - An error occurred (ExpiredToken) when calling the DescribeStacks operation: The security token included in the request is expired

Error: An error occurred (ExpiredToken) when calling the DescribeStacks operation: The security token included in the request is expired. Reason: It occurred when I ran a MAKE command with a profile having expired token (security credentials) Fix: Generate new security credentials (aws sts assume-role) and run the command again

AWS CloudTrail

AWS CloudTrail is an API monitoring service. It records activities in your account. We can log those activities in S3 bucket It gives visibility to user activities e.g., if you want to know who created an EC2 instance, you can get the answer using CloudTrail Using CloudTrail, you can track changes to AWS resources in your accounts

Ayyappu MK

Search This Blog