SCP Best Practices Deny list strategy Allow list strate | AWS Notes

SCP Best Practices

Deny list strategy
Allow list strategy

https://aws.amazon.com/blogs/mt/codify-your-best-practices-using-service-control-policies-part-1/

Organizational Units

https://aws.amazon.com/blogs/mt/best-practices-for-organizational-units-with-aws-organizations/

Deny Changes to CloudWatch monitors
Deny Changes to CloudWatch Logs
Deny Changes to Config
Deny accounts from leaving the organization
Deny all actions
Deny access to IAM with role exception
Deny actions outside approved regions
Deny ability to pass IAM roles
Deny changes to GuardDuty
Deny changes to AWS Budget Actions
Limit changes to Cost Anomaly Detection, except when using a specific IAM Role

https://aws.amazon.com/blogs/mt/codify-your-best-practices-using-service-control-policies-part-2/

Stop the war now!

#SCP #security #best_practices

AWS Notes

👨‍🚒 3.54K
Технологии

AWS Notes — Amazon Web Services Educational and Information Channel. Chat: https://t.me/aws_notes_chat. Contacts: @apple_rom, https://www.linkedin.com/in/roman-siewko/...

Join
▲ Vote (1)

​​SCP Best Practices Deny list strategy Allow list strate | AWS Notes

Login

SCP Best Practices Deny list strategy Allow list strate | AWS Notes