In the most recent Governance module covering SCPs, we learn we can set a policy document that can specify a list of only the services a given account can use (in the video, only allowing ec2 and S3, for example and no other services). Does the restricted user get any visual indication of what services they can use? What I am getting at is, imagine a developer with the policy in the video. If this user is not already aware of this restrictive access to services, they may open a trouble ticket every time they try to use some other service, leading to delays and frustrations. Does the AWS console have a way to say "Hey, here is a list of services you can use"?
1 Answers
When you log into the AWS console with any of the services restricted you can normally see them until you try going into it. The visual indication is normally "You do not have permissions to list this" etc.
In regards to listing the products they can use, the only service I can think of which would be able to provide this is service catalogue: https://docs.aws.amazon.com/servicecatalog/latest/adminguide/what-is_concepts.html
It may not be ideal but it gives more of a visual change on what you can see, there is a bit of configuration to set up, so it may be worth trying it out and seeing if it meets your needs.
Its all done via CF templates so view here: https://docs.aws.amazon.com/servicecatalog/latest/adminguide/getstarted-template.html for an example.
Although I think it would be good to be able to hide services, the easiest way I have found that is just to ask what the developers want to achieve, build permissions for that and then they normally contact if their requirements change, they all know which services they can use as it has been scoped out and when you regularly go into the account, it will start showing up in the recently visited.
If they just want to know which services they already have access to it may be worth just publishing it as an internal document to say these are the things you can do.