https://docs.aws.amazon.com/ja_jp/organizations/latest/userguide/orgs_tutorials_basic.html
作業内容:
OUを作成し、メンバーアカウントを移動
t3.nanoのEC2を起動許可するサービスコントロールポリシーを作成し、OUにアタッチ
メンバーアカウントがt3.nanoのEC2インスタンスは起動できるが、t3.microのEC2インスタンスは起動できないことを確認
-- 1. コマンド等のインストール
-- 1.1 aws cli version 2 インストール
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install
aws --version
-- 1.2 jqインストール
sudo yum -y install jq
-- 2. OUの作成
aws organizations list-roots
aws organizations list-children \
--parent-id r-xxxx \
--child-type ORGANIZATIONAL_UNIT
aws organizations create-organizational-unit \
--parent-id r-xxxx \
--name ou01
-- 3. ルートからOUへのアカウント移動
aws organizations move-account \
--account-id 888888888888 \
--source-parent-id r-xxxx \
--destination-parent-id ou-xxxx-yyyyyyyy
aws organizations list-children \
--parent-id ou-xxxx-yyyyyyyy \
--child-type ACCOUNT
aws organizations enable-policy-type \
--root-id r-xxxx \
--policy-type SERVICE_CONTROL_POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RequireInstanceType",
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:*:*:instance/*"
],
"Condition": {
"StringNotEquals": {
"ec2:InstanceType": "t3.nano"
}
}
}
]
}
aws organizations create-policy \
--content file://a.json \
--description "scp01" \
--name scp01 \
--type SERVICE_CONTROL_POLICY
aws organizations list-policies \
--filter SERVICE_CONTROL_POLICY
aws organizations describe-policy \
--policy-id p-zzzzzzzz
aws organizations attach-policy \
--policy-id p-zzzzzzzz \
--target-id ou-xxxx-yyyyyyyy
aws organizations list-targets-for-policy \
--policy-id p-zzzzzzzz
-- 7. サービスコントロールポリシーの動作確認
-- メンバーアカウントで実行
aws ec2 run-instances \
--image-id ami-0404778e217f54308 \
--instance-type t3.micro \
--key-name key2 \
--tag-specifications 'ResourceType=instance,Tags=[{Key=Name,Value=instance01}]' \
--instance-market-options '{"MarketType": "spot","SpotOptions": {"SpotInstanceType": "one-time"}}'
→ An error occurred (UnauthorizedOperation) when calling the RunInstances operation: You are not authorized to perform this operation.
aws ec2 run-instances \
--image-id ami-0404778e217f54308 \
--instance-type t3.nano \
--key-name key2 \
--tag-specifications 'ResourceType=instance,Tags=[{Key=Name,Value=instance02}]' \
--instance-market-options '{"MarketType": "spot","SpotOptions": {"SpotInstanceType": "one-time"}}'
→ OK
-- 8. クリーンアップ
aws organizations detach-policy \
--policy-id p-zzzzzzzz \
--target-id ou-xxxx-yyyyyyyy
aws organizations list-targets-for-policy \
--policy-id p-zzzzzzzz
aws organizations list-policies \
--filter SERVICE_CONTROL_POLICY
aws organizations describe-policy \
--policy-id p-zzzzzzzz
aws organizations delete-policy \
--policy-id p-zzzzzzzz
aws organizations disable-policy-type \
--root-id r-xxxx \
--policy-type SERVICE_CONTROL_POLICY
-- OUからルートへのアカウント移動
aws organizations move-account \
--account-id 888888888888 \
--source-parent-id ou-xxxx-yyyyyyyy \
--destination-parent-id r-xxxx
-- OUの削除
aws organizations list-children \
--parent-id r-xxxx \
--child-type ORGANIZATIONAL_UNIT
aws organizations delete-organizational-unit \
--organizational-unit-id ou-xxxx-yyyyyyyy