无法分离 AWS 托管的服务控制策略 - 访问被拒绝
[英]Cannot detach AWS-managed service control policy - access denied
问题描述
I have the following statement in my IAM policy:
我的 IAM 政策中有以下声明:
{
"Sid" : "AllowDetachingAWSManagedPolicies",
"Effect" : "Allow",
"Action" : [
"organizations:DetachPolicy"
],
"Resource" : "*",
"Condition" : {
"StringEquals" : {
"organizations:PolicyType" : "SERVICE_CONTROL_POLICY"
}
}
}
However, when I try to detach the FullAWSAccess policy from an AWS Organizations account, I get AccessDenied, as if my IAM policy wasn't sufficient.但是,当我尝试从 AWS Organizations 账户中分离FullAWSAccess策略时,我得到 AccessDenied,就好像我的 IAM 策略不够用一样。 I have made sure that there is another SCP in addition to FullAWSAccess , so the issue is not that there would remain no SCPs attached to the account.我已确保除了FullAWSAccess之外还有另一个 SCP,因此问题不在于该帐户不会保留任何 SCP。
What is going wrong?出了什么问题?
1 个解决方案
解决方案1
1 2022-08-22 13:14:03
Strangely enough, the AWS-managed FullAWSAccess policy does not count as a SERVICE_CONTROL_POLICY even though it is listed as such on the AWS Organizations Policies page.奇怪的是,AWS 管理的FullAWSAccess策略并不算作SERVICE_CONTROL_POLICY ,即使它在 AWS 组织策略页面上如此列出。
When I removed the condition, I no longer got AccessDenied errors:删除条件后,我不再收到AccessDenied错误:
{
"Sid" : "AllowDetachingAWSManagedPolicies",
"Effect" : "Allow",
"Action" : [
"organizations:DetachPolicy"
],
"Resource" : "*"
}
Another thing I tried to do was to specify a resource that matched FullAWSAccess :我尝试做的另一件事是指定与FullAWSAccess匹配的资源:
"Resource": "arn:aws:organizations::aws:policy/service_control_policy/p-*"
But that similarly resulted in an AccessDenied error.但这同样导致了 AccessDenied 错误。 So I left it as:所以我把它留为:
"Resource": "*"
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.