AWS: Service control policies (SCPs) can't affect service-linked roles

1
votes

https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html

This page says these. What do these mean exactly? Are there any problems caused by this limitation?

  • SCPs do not affect any service-linked role. Service-linked roles enable other AWS services to integrate with AWS Organizations and can't be restricted by SCPs.
  • Any action performed using permissions that are attached to a service-linked role (in "Tasks and entities not restricted by SCPs" section).

Ideas

  1. Users can create new service-linked roles with any permissions, regardless of SCPs. Therefore, users can let EC2 instances (for example) do what users can't directly do.
  2. Users can create new service-linked roles with permissions that are allowed by SCPs. However, service-linked roles can be shared by other accounts within the same organization. Therefore, shared service-linked roles may have permissions that are not allowed by SCPs.
1
amazon-web-servicesamazon-iamaws-roles
How did it go? Still unclear about the questions?Marcin

1 Answers

2
votes

  1. The instance role is not a service-linked role. The only service-linked roles for EC2 are for Spot Instance Requests and Spot Fleet Requests. Thus you can't bypass SCP with instance role. Same for ECS and Lambda roles.

  2. Not sure I understand the question, but service-roles are assumable only by an AWS service. They are not for IAM users, groups or IAM roles.