aws-secure-environment-accelerator icon indicating copy to clipboard operation
aws-secure-environment-accelerator copied to clipboard

Published 20 hours ago verified publisher icon aws-samples

[Enhancement] Add ability to manage SCPs on nested ou's

Open Brian969 opened this issue 3 years ago • 1 comments

  • ASEA manages SCPs on top level OUs
  • ASEA manages SCPs on specific AWS accounts
  • add ability to manage nested OU SCPs
  • add ability to mandate an account level SCP, at the OU level

Brian969 avatar Aug 17 '22 10:08 Brian969

It seems an imminent need, We recently tried to upgrade to CT 3.0. We observed that we are running out of SCP limitations of 5 per OU.

Seems like CT adds 2 SCPs per OU, then we need to attach the FullAccessPolicy too, which left room for just 2 policies, but we are attaching 3 (Phase-0, Phase-1, Sensitive). I felt Sensitive is no more required too. However, it seems the Control tower teams have unnecessarily bloated the SCPs by packaging small policy doc within single SCPs.

rverma-dev avatar Aug 26 '22 07:08 rverma-dev