Certified Security - Specialty

Sign Up Free or Log In to participate!

Service Control Policies

Hello. I created an OU, moved my AWS root account to it and created a sub account with CloudTrail rights.

I created a SCP policy and attached it to my OU with deny to all actions on CloudTrail, but the created sub account is still having permissions to modify CloudTrail. What Am I doing wrong? Should I atach my SCP policy to all accounts that I want to control inside an OU?

Adiel Ribeiro

Solved! It was so easy, but very important detail: we should enable cloudtrail for organizations inside cloutrail console together with our cloudtrail SCPs.

1 Answers

Glad to hear you got it working! Thanks for coming back and letting us know how you solved it!

Adiel Ribeiro

Hello, Faye. Yes, it’s working, but I don’t know if this the correct way to do this. I will test this scenario with other AWS services. I suppose that if I block anything with SCP, it should not work in any way, not?

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?