Skip to main content

scp & IAM policy - some thought






I have been working with SCP (security control policies) for a while and still don't like the interface saying explicit deny. Most of the time you can easily trace back to where the deny statement lies, but not always the case (sad..) Today, for example, it took me a while to do so with Aurora.





In the SCP of the organization, the only statement related to RDS states that, it will deny create database instance (CreateDBInstance) if the rds storage is not encrypted. Easy so far right? I clicked on create database and choose Aurora. Even though choosing all kinda " encrypted storage" instance types (r, m, t3) --note free t2.micro instance is not encrypted storage -- I couldn't create the database with explicit deny--what the hell is going on..... (making guess, looking at CloudTrail really helped)





AND the answer is: Once clicking on creating a database, other database types (PostgreSQL...) will create an encrypted instance (if one chooses) - scp working fine. However its not the case for Aurora. For Aurora, creating a database instance means creating a cluster under it --hence use two interface s(CreateDBInstance and CreateClusterInstance)--and the cluster itself is encrypted, not the instance - instance is just like wrapper. So of course Aurora instance is not encrypted... its logical after you understand it right...





Note:





  • That is to say its not always straightforward to trace to scp statement, especially when multiple interfaces are involved. Again, CloudTrail really helped me debugging this.




  • It is also worth to look into Organization to see which scp are applied to an account. It could be hierarchical, several Scp are involved, and check from there where the error coming from




Just to conclude, do you want to move from IAM policy to SCP?





A quick table of comparision of IAM/SCP






Labels:

Comments

Post a Comment

Popular posts from this blog

A zoo experience

 Recently, I got interested in Coral reefs after reading a report on how coral reefs affects the biodiveristy . I read that the Burgers's zoo in Arnhem   has successfully bred tropical coral reefs , so we have to visit it. We arrived a little bit late so we had only 3h before it closed (at 5pm) to explore. It was a cold winter day, yet the sun was shining, which made it nicer to see the zoo view. The penguins welcomed us right after the entrance, they look so funny and chill. And it smelled very fishy - from the fishes that they ate. As we thought we didn't have enough time, so we head straight direction of the Ocean's part. We however got attracted by another experience - the tropical forest. Entering it was warm, and i felt immediately like I'm in Vietnam. They managed to mimic the warm humid tropical climate in such a nice cold country. Now I've already think my 29e zoo ticket worth its price :). I heard a lot of births chirping with different sounds and tone...
Post a Comment
Read more

Cuộc dạo chơi cùng em mèo béo

Today is quite a sunny day.  After the recent cloudy, foggy and cold days, getting some nice sun is a treasure. After lunch, we decided to go for a walk around the house and to run some errands. I left Nam outside just at lunch time so he was still around at the front door when we got out. Should he be in our out? I'm always more cautious and want him to be inside while we are not home. But he, probably just like us, missing the sun, didn't get in the house. We said, well, let's go, he will be fine. But...Nam started following us. He's like 2 or 3 meters behind us, not so close, but not so far. He was actually running quite happily.  Nam- close to home, more confident, and at the big road more careful It's one block from my house, and Nam was still following. He's a bit careful, from time to time looked around and looked back, maybe to check where he was. He actually looked a bit like detective dog following us. I was still scared, asked J. if he could catch Nam...
Post a Comment
Read more

Norway 3: Kayaking, glacier hiking and us

It felt like a movie when I woke up in the morning and opening the cabin’s door. In front of me was a large and beautiful lake, next to it was a huge and wide mountain. Some early sunlight got through the water just created a perfect scene. We had a typical roadtrip’s breakfast with slides bread, ham & cheese on a picnic table chair on the grass in-between the cabin and lake but it felt like eating wonderful food because of the view. “Meal with a view” is a common phase we used in our trip. Just stopped by somewhere, took the sandwich out, and you’ve got an amazing view to accompany your meal. Back to our breakfast, while we were silently admiring the nature, an active lady was kayaking on the lake. The view of her, the water tail created by the kayaking and the kayaking itself made a perfect morning picture. This is the first time I stayed in a cabin so its completely a new experience. Later on the trip we stayed over 3 more cabins and they were also different. But I would describ...
Post a Comment
Read more