Adiel Ribeiro
Hello. I created an OU, moved my AWS root account to it and created a sub account with CloudTrail rights.
I created a SCP policy and attached it to my OU with deny to all actions on CloudTrail, but the created sub account is still having permissions to modify CloudTrail. What Am I doing wrong? Should I atach my SCP policy to all accounts that I want to control inside an OU?
1 Answers
Faye Ellis
Glad to hear you got it working! Thanks for coming back and letting us know how you solved it!
Adiel Ribeiro
Hello, Faye. Yes, it’s working, but I don’t know if this the correct way to do this. I will test this scenario with other AWS services. I suppose that if I block anything with SCP, it should not work in any way, not?
Solved! It was so easy, but very important detail: we should enable cloudtrail for organizations inside cloutrail console together with our cloudtrail SCPs.