服务控制策略未执行

时间:2020-04-10 12:00:47

标签: amazon-web-services aws-organizations

希望有人可以帮助我与AWS Organizations一起正确设置我的SCP。 我邀请了两个帐户进入组织,创建了两个OU-ProdOU和DevOU。

我已为每个OU分配了一个帐户。我试图附加一个拒绝策略,以防止启动t2.micro以外的EC2实例。

请参阅下面的CLI输出。我已将SCP附加到DevOU,但仍然可以启动t2.nano实例。该政策似乎由于某种原因未触发。

任何帮助将不胜感激。我可能在某处错过了配置步骤。

谢谢

$ aws organizations list-roots
{
    "Roots": [
        {
            "Id": "r-nmg6",
            "Arn": "arn:aws:organizations::xxxxxxxxx:root/o-xxxxxxxx/r-nmg6",
            "Name": "Root",
            "PolicyTypes": [
                {
                    "Type": "TAG_POLICY",
                    "Status": "ENABLED"
                },
                {
                    "Type": "SERVICE_CONTROL_POLICY",
                    "Status": "ENABLED"
                }
            ]
        }
    ]
}

$ aws organizations list-organizational-units-for-parent --parent-id r-nmg6
{
    "OrganizationalUnits": [
        {
            "Id": "ou-nmg6-xxxx",
            "Arn": "arn:aws:organizations::xxxxxx:ou/o-xxxxx/ou-nmg6-xxxxxx4",
            "Name": "ProdOU"
        },
        {
            "Id": "ou-nmg6-yyyy",
            "Arn": "arn:aws:organizations::xxxxxx:ou/o-xxxxx/ou-nmg6-xxxxxx7",
            "Name": "DevOU"
        }
    ]
}

$ aws organizations list-accounts-for-parent --parent-id ou-nmg6-xxxxxx7
{
    "Accounts": [
        {
            "Id": "ou-nmg6-xxxxxx7",
            "Arn": "arn:aws:organizations::xxxxxxxxx:account/o-xxxxxxx/xxxxxxx",
            "Email": "xxxxxx@gmail.com",
            "Name": "xx.aws",
            "Status": "ACTIVE",
            "JoinedMethod": "INVITED",
            "JoinedTimestamp": "2020-04-09T14:20:27.088000+01:00"
        }
    ]
}


$ aws organizations list-policies-for-target --filter SERVICE_CONTROL_POLICY --target-id ou-nmg6-xxxxxx7
{
    "Policies": [
        {
            "Id": "p-xxxxxxxxxxx",
            "Arn": "arn:aws:organizations::xxxxxxxxxxxxx:policy/o-xxxxxxxxxxxx/service_control_policy/p-xxxxxxxxxx",
            "Name": "DenyNonT2Micro",
            "Description": "Only t2.micro",
            "Type": "SERVICE_CONTROL_POLICY",
            "AwsManaged": false
        },
        {
            "Id": "p-FullAWSAccess",
            "Arn": "arn:aws:organizations::aws:policy/service_control_policy/p-FullAWSAccess",
            "Name": "FullAWSAccess",
            "Description": "Allows access to every operation",
            "Type": "SERVICE_CONTROL_POLICY",
            "AwsManaged": true
        }
    ]
}

$ aws organizations describe-policy --policy-id p-xxxxxxxxxx
{
    "Policy": {
        "PolicySummary": {
            "Id": "p-xxxxxxx",
            "Arn": "arn:aws:organizations::xxxxxxxxx:policy/o-xxxx/service_control_policy/xxxxxxxxx",
            "Name": "DenyNonT2Micro",
            "Description": "Only t2.micro",
            "Type": "SERVICE_CONTROL_POLICY",
            "AwsManaged": false
        },
        "Content": "{\n  \"Version\": \"2012-10-17\",
                \n  \"Statement\": [\n    {\n      \"Sid\": \"RequireMicroInstanceType\",
                \n      \"Effect\": \"Deny\",
                \n      \"Action\": \"ec2:RunInstances\",
                \n      \"Resource\": \"arn:aws:ec2:*:*:instance/*\",
                \n      \"Condition\": 
                {\n        \"StringNotEquals\":{
                \t\n          \"ec2:InstanceType\":\"t2.micro\"\n        
            }\n      }\n    }\n  ]\n} "
    }
}

0 个答案:

没有答案
相关问题
最新问题