AWS Organization SCP - Service Control Policy DEMO | Blacklist & Whitelist strategy
Vložit
- čas přidán 29. 08. 2024
- Learn #AWS Organization & Service Control Policy in detail:
- Service Control Policy #SCP #DEMO
- Blacklist & Whitelist strategy
- How SCP works with IAM
- Applying SCP at Root & Organizational Unit
- SCP further reading - docs.aws.amazo...
- IAM Video -- bit.ly/2JYF1MT
- Organizations Video -- bit.ly/2YEml93
- SCP examples -- amzn.to/2wbRqEN
#######################################################
HOW TO GET benefited from KNOWLEDGEINDIA to learn AWS
#######################################################
#AWS #Videos to learn in #EASY & #PRACTICAL manner:
AWS Security: bit.ly/2Rj5yWI
AWS Networking: bit.ly/2FbQoxq
AWS Pricing: bit.ly/2KQysMA
AWS Automation: bit.ly/2KkW8cm
AWS Interview Questions: bit.ly/2IlLgcj
-------------------------------------------------------
AWS SysOps Admin: bit.ly/2RiuY6I
AWS Solutions Architect: bit.ly/2WKpYZV
+++++++++++++++++++++++++++++++++++++++++++++++++++++++
SUBSCRIBE to CZcams channel: / knowledgeindia
Watch our videos in correct order: bit.ly/2GVzLti
Connect on LinkedIn, receive AWS updates & Practical Scenario Questions - bit.ly/2XC5bZg
If you have got benefited, you can support us on PATREON: bit.ly/2TzxTbb
Join AWS Practical Learning Group on LinkedIn: bit.ly/2Vx7aOi
SUBSCRIBE to our blog for AWS exercises & case-studies: aws-tutorials....
+++++++++++++++++++++++++++++++++++++++++++++++++++++++
Facebook - AWStutorials
Twitter - bit.ly/2RyuN9R
We try our best to answer most of the COMMENTS within 24 hours. Please write your appreciation/feedback below.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++
Superb explanation. It is best channel for aws, such a knowledge person who is delivering lectures in the channel. I can gaurentee anyone that once you go through any video you don't have doubts on particular topic. Videos helped me clearing aws sysops and solution architect associate certifications. Should highly recommend this channel anyone who is new to aws and want to master in it.
Keep posting videos on different services in aws...would appreciate channel for providing such a worthy content at a free of cost.
Thanks a lot Pavan for your kind words. Please do write on LinkedIn as well. :)
@Roland Arjun I would suggest flixzone. You can find it on google =)
@Jack Toby yea, have been using FlixZone for months myself =)
This is AWESOME!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
After learning soo many things from this channel, i can say this is one of the best channel for cloud. ❤️
Glad you think so! Please share it with more people in your circle.
I came across your channel around 3 years back and made use of your videos to consistently clear my concept. You are superb. As a token of thanks I have made the payment. Looking forward to good videos from your channel.
Thanks a lot ✌️✌️
Good video. Just remember it is not possible to use peering connection to send traffic to the internet. Peering connection allows you to send traffic between peered vpcs and not use vpc with internet gateway in one of the vpcs by traffic originating in other vpcs.
Thanks Sir.. Your videos really helps in getting clear understanding of the topic.
thanks so much ... ur videos not just focus on the basic stuff but also implementing the advance stuff on the services ...i really love the work u put here ....
Glad you like them! Do share with your friends as well :)
Love the way how you explain 👍
Very helpful very informative. Thank you so much for sharing your knowledge.
Very informative video, You are such a great teacher. You nicely explained the concepts of SCP. Thank for your effort.
Please share and support us.
very good and clear explanation. good video to study.
fantastic
Great knowldge and simple way to explain so that students can get a logical way to think & implement, surely recommed this to anyone who wants to stat on AWS. Many thanks
Thanks mahtab . 👍 Do share this with your friends and help them.
Nicely explained sir.. Thanks for the session..
Thank a lot ... really good video, makes things very clear 👏🏻👏🏻👏🏻👏🏻👏🏻👏🏻👏🏻
Glad to hear that!
very nice explanation with demo.. thank you so much!!
Another superb lecture.... Thanks man...
Thanks for your appreciation. You can support our initiative of Free Practical Cloud Tutorials by sharing this video with your friends on Social channels, whatsapp etc.
If it helped you solve a problem and you would like to applaud us, click the Applaud button :)
For regular 1-1 interaction with me, check our Membership - czcams.com/channels/zpHRBVnkzBfSsXostYuW1g.htmljoin
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Thanks!
Thank you 👍I hope you continue to learn from our videos.
Great videos bro ......
Thank you 👍I hope you continue to learn from our videos.
Brilliant video.. thanks a lot
very well explained
superb video !!
nyc explanation
Thank you! Nice demo. Like!
Thanks a lot. You can help us by sharing the videos with your friends on LinkedIn/Facebook.
Superb explanation for scp. My concepts are cleared now. Thanks for this wonderful material.
Sir, would you provide any aws sysops training ?
Thanks a lot. we do have a playlist for sysops.. In addition, there would an upcoming training batch after a while..
Sir, your videos are very helpful.Thank you . Could you please make video on AWS cognito and identity federation service in AWS?
Sure, will do that. Please share this and support us
Thanks. nicely explained
Please share and support us
actually great video. But I think u need to speed up the video to save time. i played it in 1.35x but still understandable well.
alright .. glad that you increased the speed.. Please do check out other videos on our channel as well for the same type of content..
1.75x speed for me. Great content still.
Hey,
Correct yourself : SCPs affect only member accounts in the organization. They have no effect on users or roles in the management account 10:20
Thank you.
Great content and well explained! Could you please move the logo to bottom right?
Thanks for your appreciation. You can support our initiative of Free Practical Cloud Tutorials by sharing this video with your friends on Social channels, whatsapp etc.
If it helped you solve a problem and you would like to applaud us, click the Applaud button :)
For regular 1-1 interaction with me, check our Membership - czcams.com/channels/zpHRBVnkzBfSsXostYuW1g.htmljoin
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
toh apka kehne ka ye mtlb h k jaise root pr laga hua policy and ou pr laga hua policy dono hi ki2 mein phle inherit hua ab dono k scp milakr jo common hoga woh ki2 pr apply hojyga
this kind of video should make on notepad with diagrams konse acoount k andar kya h konsa ou h sb confusion hora
Good job, bud. Try not to say "go ahead" too much. Cheers!
Thank you.. !!
Great video again. I just started to watch all your video.
I have a question on organisation.
In case if a child root account gets compromised and first thing he may do is disable cloudtrail which could be restricted due to scp.
But what if he removes the child account from the organisation and would it be possible him to disable cloudtrail and run resources he likes? Would scp restrict child organisation leaving from its organisation?
Yes that's also possible. Look at example scp in documentation
Thanks KI, would it be possible if you share the link as Aws documentation which I saw did have scp which restricts child account leaving organisation.
in this video, post 21 minutes you have given an example of VPC peering and the traffic flowing outside with the help of peered VPC IGW. but AFAIK this is not possible in AWS. AWS rejects ede to edge routing. Can you please clarify
Anand, I heard the part again. I have said that it can go via other vpc which has internet connection. I did not say you can directly use igw of other vpc. To use other vpc we will have to implement proxy in that vpc. I hope that helps. 😊😊
You can support our initiative by sharing with your friends and colleagues..
@@knowledgeindia Definitely. you have done a fantastic job by providing small videos on each of the topic. Really appreciate.
When we remove the explicit deny for IGW and there is no explicit allow then the default deny should apply right? How are we able to create the IGW in that case?
But we do have full access along with that, this is an additional SCP attached
How to check at account level for applied SCP policies other levels OU and root level..
Hey Bro - What incase I don’t want this deny policy in one of AWS account which is in the lower place hierarchy?
any SCP applied above will flow downwards. If you don't want it on an account, then you need to probably move that account to a separate OU.
Hello Sir,
Very informative... I am trying to setup following scenario...
=> Root --> SCP--> FullAccess
=> AWSExperts (OU) --> FullAccess (inherited)
=> Development (Account) --> FullAccess (inherited) --> DenyEC2Termination (Custom SCP)
=> Admins (Group) --> Admin (IAM Policy)
=> Abhay (IAM User)
=> EC2Users (Group) --> EC2FullAccess (IAM Policy)
=> EC2User-1 (IAM User) --> EC2FullAccess (Inherited)
The following DenyEC2Termination SCP denies termination for the EC2User-1:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Deny",
"Action": [
"ec2:TerminateInstances"
],
"Resource": [
"arn:aws:iam::967709585020:user/EC2User-1"
]
}
]
}
Issue is when I logged in as EC2User-1 I am able to terminate the EC2 instance. Expected is, it should deny this action.
Initially I tried with Resource "*" , it was working when I logged in as Root Development account. Its not working for specific IAM User. Where I am going wrong?
Please guide
Thanks
Does scp rules are applied to IAM users which are created by child accounts root users on which SCP policies are applied?
I had watched your AWS organization and switching to different roles(Accounts) videos. You had made it like 3 or 4 parts. At this time i didn't find those videos. can you please provide those videos.
Check our security playlist please
which user we will login to the ec2 instance in real time production environment in an organization
an OS level user and it depends on the OS of your EC2.