https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html
This page says these. What do these mean exactly? Are there any problems caused by this limitation?
- SCPs do not affect any service-linked role. Service-linked roles enable other AWS services to integrate with AWS Organizations and can't be restricted by SCPs.
- Any action performed using permissions that are attached to a service-linked role (in "Tasks and entities not restricted by SCPs" section).
Ideas
- Users can create new service-linked roles with any permissions, regardless of SCPs. Therefore, users can let EC2 instances (for example) do what users can't directly do.
- Users can create new service-linked roles with permissions that are allowed by SCPs. However, service-linked roles can be shared by other accounts within the same organization. Therefore, shared service-linked roles may have permissions that are not allowed by SCPs.