I want to block access to certain resources that I create as a base set up in new AWS account in my Organization. I want to do this for all users except Admins. The access only for admin part is solved with this design:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"ArnNotEquals": {
"aws:PrincipalArn": [
"arn:aws:iam::*:role/myadminrole",
"arn:aws:iam::*:role/aws-reserved/sso.amazonaws.com/sso-region/AWSReservedSSO_myrolename"
]
}
}
}
]
}
As you can see in the above role everything is denied for everyone except the admins, this not i want to do I want to block access to certain resources. The simplest way to do so is just to list the resources I want to block access to under "Resource". But this will resolve in manual work to keep this SCP up to date and this is something I try to avoid. So my second idea was to use tags and base the deny of access on them with a condition like this:
"Condition": {"ForAllValues:StringEquals": {"aws:TagKeys": ["mytagkey"]}}
But when I ran into this issue where some AWS services don't support authorisation based on tags, see link: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html#:~:text=Yes-,AWS%20Lambda,Partial%C2%B2,-Amazon%20Lightsail
Does anyone know a good way to solve my issue? Or does I just have yo accept that I have to manually update my SCP?
After investigation both from me and AWS support this is not possible at the moment. So the answer is that you need to manually update your SCPs.