[英]Cannot detach AWS-managed service control policy - access denied
I have the following statement in my IAM policy:我的 IAM 政策中有以下声明:
{
"Sid" : "AllowDetachingAWSManagedPolicies",
"Effect" : "Allow",
"Action" : [
"organizations:DetachPolicy"
],
"Resource" : "*",
"Condition" : {
"StringEquals" : {
"organizations:PolicyType" : "SERVICE_CONTROL_POLICY"
}
}
}
However, when I try to detach the FullAWSAccess
policy from an AWS Organizations account, I get AccessDenied, as if my IAM policy wasn't sufficient.但是,当我尝试从 AWS Organizations 账户中分离FullAWSAccess
策略时,我得到 AccessDenied,就好像我的 IAM 策略不够用一样。 I have made sure that there is another SCP in addition to FullAWSAccess
, so the issue is not that there would remain no SCPs attached to the account.我已确保除了FullAWSAccess
之外还有另一个 SCP,因此问题不在于该帐户不会保留任何 SCP。
What is going wrong?出了什么问题?
Strangely enough, the AWS-managed FullAWSAccess
policy does not count as a SERVICE_CONTROL_POLICY
even though it is listed as such on the AWS Organizations Policies page.奇怪的是,AWS 管理的FullAWSAccess
策略并不算作SERVICE_CONTROL_POLICY
,即使它在 AWS 组织策略页面上如此列出。
When I removed the condition, I no longer got AccessDenied
errors:删除条件后,我不再收到AccessDenied
错误:
{
"Sid" : "AllowDetachingAWSManagedPolicies",
"Effect" : "Allow",
"Action" : [
"organizations:DetachPolicy"
],
"Resource" : "*"
}
Another thing I tried to do was to specify a resource that matched FullAWSAccess
:我尝试做的另一件事是指定与FullAWSAccess
匹配的资源:
"Resource": "arn:aws:organizations::aws:policy/service_control_policy/p-*"
But that similarly resulted in an AccessDenied error.但这同样导致了 AccessDenied 错误。 So I left it as:所以我把它留为:
"Resource": "*"
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.