I am learning how AWS SCPs work, and the explanation I heard from the course I’m going through was this: you start off with a default "Permit everything" SCP policy in the root of the organization, and then remove permissions as necessary. Anything removed at any level makes the permission removed impossible to grant via internal account policies. Fine.
The instructor went on to say, however, that it’s possible to start off the other way around. That is to say, give the root account an "empty" SCP which denies nothing but which also grants (more or less) nothing. From there you can add permissions as you wish. So 3 nodes down in the org tree you could grant, for the first time, EC2 permissions to an account.
So for learning purposes I thought I’d try this out. I created several new SCPs.
Name: No-op
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Action": [
"iam:GetLoginProfile"
],
"Resource": "*"
}
]
}
(I gave the iam permission shown because I couldn’t figure out how to define a true no-op SCP that, in fact, neither grants nor denies anything.)
I added this No-op policy to the Organization Root account. There now being 2 policies present, I was permittted to remove the standard one, which for completeness I’ll provide here:
Name: FullAWSAccess
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
Next I created yet another policy, just for playing around.
Name: Allow-EC2
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Action": [
"ec2:*"
],
"Resource": "*"
}
]
}
Finally I went down an OU node and logged in to an Account (which we’ll call Fun-One) as a user with full rights (the AWS policy AdministratorAccess, to be specific) in the account.
I couldn’t list, let alone create, an EC2 instance in Fun-One. Great.
Now I went back to Fun-One and added a new SCP to it: Allow-EC2.
I now returned to Fun-One hoping to see that my admin user would be able to list and create EC2s. Not so.
I tried many things. Nothing worked. Finally, out of desperation, I added the Allow-EC2 SCP to the root OU. Now Root has two policies, one of which grants EC2 rights.
I went back and hey-presto, now my admin user can list and create EC2s.
But this is not the version of the story that I was told.
To be clear, I don’t wish to defend a need to start an AWS organization with a blacklist SCP approach, where permissions are only added in downstream. I’m fine with going with the flow.
But for purposes of understanding AWS SCP logic, I have hit a brick wall. It looks as if AWS is ONLY designed to start off with everything granted, and we can then remove permissions downstream if we so choose. But to do the reverse? Maybe not.
Does anything I did look wrong? Or is my understanding of AWS SCP flawed? Or was that online instructor mistaken in what he presented?
POSTSCRIPT:
Rohit’s answer matches my experience. If Service X
is denied (even implicitly) in OU A
, then no child OU/Account under OU A
can ever permit Service X
. End of story.
I’m also going to throw (down below) an "answer" that is what the course instructor taught, verbatim. I’m curious if anyone reads/hears it differently than I do.
2
Answers
This is the reason for my OP, as I was trying to replicate what was explained below. I am curious if anyone else reads the below differently. In hindsight, it looks entirely wrong, to me.
You are correct if there is deny at organization level, it won’t check anything downwards.
Default Way – Restrict S3 Access for an Organization Unit:
You can Implement otherway around:
For Example: I have an OraganizationUnit where I only want S3 Access:
Facts to understand before designing these type of policies.
I think better way to design policy approach is to understand policy evaluation logic.
I use this diagram before designing any policy, more details are here in aws documentation
Further There are two type of denies: