-
-
Notifications
You must be signed in to change notification settings - Fork 22
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add account and sso to not_actions in DenyRegions and RestrictToSpecifiedRegions #29
Conversation
Thanks @BFarand for creating this pull request! A maintainer will review your changes shortly. Please don't be discouraged if it takes a while. While you wait, make sure to review our contributor guidelines. Tip Need help or want to ask for a PR review to be expedited?Join us on Slack in the |
@BFarand Thank you for this contribution. I am going to close this in favor of PR #50, which incorporates some, but not all, of your changes. SCPs are supposed to be restrictive, so I want to error on the side of them being overly restrictive. People are free to copy and modify our SCPs if they want to relax some restrictions; I am uncomfortable doing that for them. I did, however, add
I think, in general, it may be asking too much to try to prevent people from provisioning resources in After PR #50 merges, if you still want changes, I suggest you create a separate set of new policies where the global restrictions are relaxed and then individually tightened up, as you did here with Lambdas. Maybe just create a separate statement for the services that need |
what
account:*
andsso:*
as not_actions in theDenyRegions
andRestrictToSpecifiedRegions
SCPs.why
sso:*
being denied results in the entire AWS Identity Centre console being unusable.account:*
being denied results in, for example, GetAlternateContact requests failing.