Home > Mobile >  SCP behaving abruptly when adding VPC resource
SCP behaving abruptly when adding VPC resource

Time:05-16

I am using SCP policy to stop ec2 resource ( subnet, security group, instance, vpc) creation when they don't have tags. i am using tag policy to check for compliant tags.

But as soon as i am adding action and resource for vpc in my scp policy, i am not able to create subnet, security group.

Below SCP policy is working fine without vpc resource -

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Statement1ForProjectTag",
      "Effect": "Deny",
      "Action": [
        "ec2:RunInstances",
        "ec2:CreateSecurityGroup",
        "ec2:CreateSubnet"
      ],
      "Resource": [
        "arn:aws:ec2:*:*:instance/*",
        "arn:aws:ec2:*:*:security-group/*",
        "arn:aws:ec2:*:*:subnet/*"
      ],
     "Condition": {
        "Null": {
          "aws:RequestTag/project": [
            "true"
          ]
        }
      }
    }
  ]
}

This SCP policy is breaking - i.e i am not able to create security group/subnet with proper tags aslo.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Statement1ForProjectTag",
      "Effect": "Deny",
      "Action": [
        "ec2:RunInstances",
        "ec2:CreateSecurityGroup",
        "ec2:CreateSubnet",
        "ec2:CreateVpc"
      ],
      "Resource": [
        "arn:aws:ec2:*:*:instance/*",
        "arn:aws:ec2:*:*:security-group/*",
        "arn:aws:ec2:*:*:subnet/*",
        "arn:aws:ec2:*:*:vpc/*"
      ],
     "Condition": {
        "Null": {
          "aws:RequestTag/project": [
            "true"
          ]
        }
      }
    }
  ]
}

Can someone shed a light on this?

CodePudding user response:

It is not recommendable to combine different Actions and Resource in the same statement. It could cause unexpected behaviours or some issues. Also not all actions are applicable to all resources, you need to specify the suitable one.

So first it is necessary to split the statement into multiple ones. Then change the effect from Allow to Deny and condition to 'StringNotEquals'.

The SCP should be similar to this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Statement1ForProjectTag",
      "Effect": "Deny",
      "Action": [
        "ec2:RunInstances"
      ],
      "Resource": [
        "arn:aws:ec2:*:*:instance/*"
      ],
      "Condition": {
        "ForAllValues:StringNotEquals": {
          "aws:TagKeys": [
            "project"
          ]
        }
      }
    },
    {
      "Sid": "Statement2ForProjectTag",
      "Effect": "Deny",
      "Action": [
        "ec2:CreateSecurityGroup"
      ],
      "Resource": [
        "arn:aws:ec2:*:*:security-group/*"
      ],
      "Condition": {
        "ForAllValues:StringNotEquals": {
          "aws:TagKeys": [
            "project"
          ]
        }
      }
    },
    {
      "Sid": "Statement3ForProjectTag",
      "Effect": "Deny",
      "Action": [
        "ec2:CreateSubnet"
      ],
      "Resource": [
        "arn:aws:ec2:*:*:subnet/*"
      ],
      "Condition": {
        "ForAllValues:StringNotEquals": {
          "aws:TagKeys": [
            "project"
          ]
        }
      }
    },
    {
      "Sid": "Statement4ForProjectTag",
      "Effect": "Deny",
      "Action": [
        "ec2:CreateVpc"
      ],
      "Resource": [
        "arn:aws:ec2:*:*:vpc/*"
      ],
      "Condition": {
        "ForAllValues:StringNotEquals": {
          "aws:TagKeys": [
            "project"
          ]
        }
      }
    }
  ]
}

Page link:https//www.codepudding.com/Mobile/407889.html

Prev:Convert Ansible variable to integer for arithmetic
Next:AWS CDK : Exception while creating API Gateway with VPC Interface Endpoint
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding