Enforcing EBS Encryption within AWS Organization using SCP (Service Control Policy) Announcing...
Does classifying an integer as a discrete log require it be part of a multiplicative group?
Has negative voting ever been officially implemented in elections, or seriously proposed, or even studied?
First console to have temporary backward compatibility
When was Kai Tak permanently closed to cargo service?
What causes the direction of lightning flashes?
Maximum summed powersets with non-adjacent items
How would a mousetrap for use in space work?
Do I really need recursive chmod to restrict access to a folder?
Is it fair for a professor to grade us on the possession of past papers?
What do you call the main part of a joke?
Is it cost-effective to upgrade an old-ish Giant Escape R3 commuter bike with entry-level branded parts (wheels, drivetrain)?
Is safe to use va_start macro with this as parameter?
How to compare two different files line by line in unix?
Do square wave exist?
Do wooden building fires get hotter than 600°C?
What font is "z" in "z-score"?
Is "Reachable Object" really an NP-complete problem?
Is the Standard Deduction better than Itemized when both are the same amount?
8 Prisoners wearing hats
Did MS DOS itself ever use blinking text?
Withdrew £2800, but only £2000 shows as withdrawn on online banking; what are my obligations?
Delete nth line from bottom
What does this Jacques Hadamard quote mean?
Is there a kind of relay only consumes power when switching?
Enforcing EBS Encryption within AWS Organization using SCP (Service Control Policy)
Announcing the arrival of Valued Associate #679: Cesar Manara
Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern)
Come Celebrate our 10 Year Anniversary!AWS IAM policy issue: unable to permit all but RunInstancesEC2 create-image vs. secure credentialsHow can I be certain EBS volume is mounted at a particular point?How to restrict IAM policy to not allow stop/terminate an EC2 instance but can create new instances?aws ec2 describe-instances not allowed in user-data?How to grant access to an SQS to a specific IAM userAWS EC2 Storage Gateway - KMSIAM policy to enforce tagging not workingAWS Force MFA Policy IssueAllow other AWS services to invoke Lambda using IAM
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}
Is it possible to enforce that all accounts within an AWS organization can only create encrypted EBS volumes?
I know you can enforce it using IAM roles, but I want to know if it can be done with SCP.
Here's what I've come up with so far, but it doesn't work. I've attached this to an account within my organisation but I can create both encrypted and unencrypted volumes.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "ec2:CreateVolume",
"Resource": "*",
"Condition": {
"Bool": {
"ec2:Encrypted": "false"
}
}
}
]
}
amazon-web-services amazon-iam aws-organizations
asked 6 mins ago
TimTim
18.1k41950
add a comment |
Is it possible to enforce that all accounts within an AWS organization can only create encrypted EBS volumes?
I know you can enforce it using IAM roles, but I want to know if it can be done with SCP.
Here's what I've come up with so far, but it doesn't work. I've attached this to an account within my organisation but I can create both encrypted and unencrypted volumes.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "ec2:CreateVolume",
"Resource": "*",
"Condition": {
"Bool": {
"ec2:Encrypted": "false"
}
}
}
]
}
amazon-web-services amazon-iam aws-organizations
asked 6 mins ago
TimTim
18.1k41950
add a comment |
Is it possible to enforce that all accounts within an AWS organization can only create encrypted EBS volumes?
I know you can enforce it using IAM roles, but I want to know if it can be done with SCP.
Here's what I've come up with so far, but it doesn't work. I've attached this to an account within my organisation but I can create both encrypted and unencrypted volumes.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "ec2:CreateVolume",
"Resource": "*",
"Condition": {
"Bool": {
"ec2:Encrypted": "false"
}
}
}
]
}
amazon-web-services amazon-iam aws-organizations
asked 6 mins ago
TimTim
18.1k41950
Is it possible to enforce that all accounts within an AWS organization can only create encrypted EBS volumes?
I know you can enforce it using IAM roles, but I want to know if it can be done with SCP.
Here's what I've come up with so far, but it doesn't work. I've attached this to an account within my organisation but I can create both encrypted and unencrypted volumes.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "ec2:CreateVolume",
"Resource": "*",
"Condition": {
"Bool": {
"ec2:Encrypted": "false"
}
}
}
]
}
amazon-web-services amazon-iam aws-organizations
amazon-web-services amazon-iam aws-organizations
asked 6 mins ago
TimTim
18.1k41950
asked 6 mins ago
TimTim
18.1k41950
asked 6 mins ago
TimTim
18.1k41950
asked 6 mins ago
TimTim
18.1k41950
asked 6 mins ago
TimTim
18.1k41950
18.1k41950
add a comment |
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f963599%2fenforcing-ebs-encryption-within-aws-organization-using-scp-service-control-poli%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f963599%2fenforcing-ebs-encryption-within-aws-organization-using-scp-service-control-poli%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
