https://dev.classmethod.jp/articles/protect-resources-by-scp/
下記のSCPをEC2作成時に適用
想定要件1. key1タグが存在し、値はval1かval2のいずれかとなっていること
想定要件2. envタグが存在すること(値は何でも可)
SCP は、管理アカウントのユーザーやロールには影響を与えません。SCP は、組織内のメンバーアカウントにのみ影響を与えます。
組織の各タイプのポリシーの数の最大値 -> ポリシータイプあたり 1000
-- 1. コマンド等のインストール
-- 1.1 aws cli version 2 インストール
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install
aws --version
-- 1.2 jqインストール
sudo yum -y install jq
aws organizations enable-policy-type \
--root-id r-2222 \
--policy-type SERVICE_CONTROL_POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Deny",
"Action": [
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*"
],
"Condition": {
"StringNotEquals": {
"aws:RequestTag/key1": [
"val1",
"val2"
]
}
}
},
{
"Sid": "Statement2",
"Effect": "Deny",
"Action": [
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*"
],
"Condition": {
"Null": {
"aws:RequestTag/env": "true"
}
}
}
]
}
aws organizations create-policy \
--content file://scp01.json \
--description "scp01" \
--name scp01 \
--type SERVICE_CONTROL_POLICY
aws organizations list-policies \
--filter SERVICE_CONTROL_POLICY
aws organizations describe-policy \
--policy-id p-11111111
aws organizations list-roots
aws organizations attach-policy \
--policy-id p-11111111 \
--target-id r-2222
aws organizations list-targets-for-policy \
--policy-id p-11111111
-- 5. サービスコントロールポリシーの動作確認
-- メンバーアカウントで実行
aws ec2 run-instances \
--image-id ami-0404778e217f54308 \
--instance-type t3.nano \
--dry-run
→You are not authorized to perform this operation
aws ec2 run-instances \
--image-id ami-0404778e217f54308 \
--instance-type t3.nano \
--tag-specifications 'ResourceType=instance,Tags=[{Key=key1,Value=val1}]' \
--dry-run
→You are not authorized to perform this operation
aws ec2 run-instances \
--image-id ami-0404778e217f54308 \
--instance-type t3.nano \
--tag-specifications 'ResourceType=instance,Tags=[{Key=env,Value=dev}]' \
--dry-run
→You are not authorized to perform this operation
aws ec2 run-instances \
--image-id ami-0404778e217f54308 \
--instance-type t3.nano \
--tag-specifications 'ResourceType=instance,Tags=[{Key=key1,Value=val1},{Key=env,Value=dev}]' \
--dry-run
→Request would have succeeded, but DryRun flag is set
aws ec2 run-instances \
--image-id ami-0404778e217f54308 \
--instance-type t3.nano \
--tag-specifications 'ResourceType=instance,Tags=[{Key=key1,Value=val2},{Key=env,Value=dev}]' \
--dry-run
→Request would have succeeded, but DryRun flag is set
aws ec2 run-instances \
--image-id ami-0404778e217f54308 \
--instance-type t3.nano \
--tag-specifications 'ResourceType=instance,Tags=[{Key=key1,Value=val3},{Key=env,Value=dev}]' \
--dry-run
→You are not authorized to perform this operation
aws ec2 run-instances \
--image-id ami-0404778e217f54308 \
--instance-type t3.nano \
--tag-specifications 'ResourceType=instance,Tags=[{Key=key1,Value=val1},{Key=env,Value=dev},{Key=hoge,Value=fuga}]' \
--dry-run
→Request would have succeeded, but DryRun flag is set
-- 6. クリーンアップ
aws organizations detach-policy \
--policy-id p-11111111 \
--target-id r-2222
aws organizations list-targets-for-policy \
--policy-id p-11111111
aws organizations list-policies \
--filter SERVICE_CONTROL_POLICY
aws organizations describe-policy \
--policy-id p-11111111
aws organizations delete-policy \
--policy-id p-11111111
aws organizations disable-policy-type \
--root-id r-2222 \
--policy-type SERVICE_CONTROL_POLICY
