Cloudtrail explicit deny in AWS Org fails
There are only 5 users in IAM other than the root account. This policy has an explicit deny and is attached at the root level (attached photo), but it doesn't work.
"Doesn't work" means - in the AWS console, I click on Stop Logging and it stops the logging. Also, I ran the command to stop logging in the CLI and that also stopped the logging - so this explicit deny is failing somewhere.
Please note that this test is done on an IAM member account and not the root account. I only used the root account to set up the SCP. The IAM member account is a super user and does almost all of the "admin work" on AWS.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenycloudtrailStopLogging",
"Effect": "Deny",
"Action": [
"cloudtrail:StopLogging"
],
"Resource": [
"*"
]
}
]
}
Do the IAM users need to be linked somewhere else too? They aren't in the OUs but they are still accounts in IAM so I would figure that they all inherit the root permissions (photo above)
Also thought an explicit deny trumps every other decision in all other policies, so what reasons could there be that this policy doesn't work? These are the only 2 Service Control Policies (Full Access and Deny Cloudtrail stop logging).
Are there any other factors aside from creating the policy and attaching it to the root - because I thought this is all we had to do? Some kind of service or role exemption that could be placed elsewhere?
Putting the code above into a new "permission boundary policy" in IAM did the trick, instead of an SCP.
Permission boundary policies in IAM limit IAM users, whereas SCPs in AWS Organizations limit AWS Organization accounts specifically.