AWS Organizations - How to globally set boundaries to allow assess only to predefined set of services?

amazon-web-services aws-organizations

I would like to allow users in all accounts in my AWS Organization (under a number of different OUs) to access only a few AWS services: RDS, EC2, S3, etc. In other words, I need to prevent access to anything else. I was thinking about using SCP but denying access to so many services seems to be a bad idea (the FullAWSAccess service control policy is attached by default). I would like to ask if you have ever done something like that and if you have, how?


SCP is the way to go.

You can deny everything with a whitelist condition.

Please bear in mind that you need to reduce the scope of your SCP, otherwise you end up disabling AWS service roles to perform standard operations, e.g. if you use CloudFormation stacks.

Therefore, you should apply this SCP only to the roles used by your users and services.

Tip: use one role for implementing the SCP and one role to test it. Start small and progress in small steps. Otherwise you might exclude yourself from any service in the AWS console.

Related

Modelling or modeling? [duplicate]
What is the meaning of "less a function of" in the following sentence
What is the origin of the phrase "do a line with someone"?
The meaning and usage of "logo schmogo" [duplicate]
Improper placement of a comma
What does it mean "It’s raining men"? [closed]
Use of "will" in a past tense sentence
Someone/Something uses a lots of space (maybe more than really needed), what is this phenomenon called?
"I went to the hotel you were staying at" vs. "you stayed at"
Where did the usage of bury in "bury a jumper" come from?
"I love you." ... "As do I." Interpretation? [closed]
Are there words that specify that a number was pronounced 'six double zero ' vs 'six zero zero'? [duplicate]