2

https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html

This page says these. What do these mean exactly? Are there any problems caused by this limitation?

  • SCPs do not affect any service-linked role. Service-linked roles enable other AWS services to integrate with AWS Organizations and can't be restricted by SCPs.
  • Any action performed using permissions that are attached to a service-linked role (in "Tasks and entities not restricted by SCPs" section).

Ideas

  1. Users can create new service-linked roles with any permissions, regardless of SCPs. Therefore, users can let EC2 instances (for example) do what users can't directly do.
  2. Users can create new service-linked roles with permissions that are allowed by SCPs. However, service-linked roles can be shared by other accounts within the same organization. Therefore, shared service-linked roles may have permissions that are not allowed by SCPs.
dmjy
  • 1,183
  • 3
  • 10
  • 26

1 Answers1

4

  1. The instance role is not a service-linked role. The only service-linked roles for EC2 are for Spot Instance Requests and Spot Fleet Requests. Thus you can't bypass SCP with instance role. Same for ECS and Lambda roles.

  2. Not sure I understand the question, but service-roles are assumable only by an AWS service. They are not for IAM users, groups or IAM roles.

Marcin
  • 215,873
  • 14
  • 235
  • 294
  • Sorry for the late reply. I'm very confused with instance role and service-linked role. Could you give me an explanation? If I create a new role with type = AWS service here (https://console.aws.amazon.com/iam/home#/roles$new?step=type), is it a service-linked role? If I choose an IAM role in "Step 3: Configure Instance Details" in EC2 creation, does this mean I set a service-linked role to the new EC2 instance? – dmjy Oct 02 '21 at 13:06
  • 2
    @dmjy No problem. Instance role is for individual instances. Each instance can have different role or none. Instance role give permissions to applications running on the instances. In contrast, service-linked role for the entire EC2 service. You have no control over it, as AWS manages the EC2 service, unlike EC2 instances which you manage. – Marcin Oct 02 '21 at 22:44
  • As long as I see this page (https://docs.aws.amazon.com/autoscaling/ec2/userguide/autoscaling-service-linked-role.html#create-service-linked-role-manual), I can create new service-linked roles. What do you mean by "you have no control over it (service-linked role)"? – dmjy Oct 03 '21 at 02:48
  • @dmjy You can create it, but you can't use it nor modify. Its for EC2 service, not for you to use or alter. – Marcin Oct 03 '21 at 02:52