- primary AWS account with AWS orgs setup acctID
xxxxxxxx2016
- account only has orgs in it and only SCPs in place are a simple
denyleavingorgs
at root level
- account only has orgs in it and only SCPs in place are a simple
- child account created called
image-factory
acctIDxxxxxxxx3352
where AMIs would be created/shared from - child account created called
lab2024
acctIDxxxxxxxx6393
Testing was done on this setup in past week for a MRK key in image-factory
account and then usage of key for lab acct
see: https://gist.github.com/treyperrone/7417a34c4d8e85d2f8724aef4a02de98
- this allows a broad range of AMIs to be launched based on what amazon allows their alias to be used on. It's not perfect by any means
- created a new SCP like below based on blog: https://aws.amazon.com/blogs/awsmarketplace/securing-access-to-amis-aws-marketplace/
- apply SCP at root level, so it affects everything
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyMarketplaceAMIAccess",
"Effect": "Deny",
"Action": [
"ec2:RunScheduledInstances",
"ec2:RunInstances"
],
"Resource": "arn:aws:ec2:*::image/ami-*",
"Condition": {
"StringNotEquals": {
"ec2:Owner": [
"amazon"
]
}
}
}
]
}
-
switch to
image-factory
acct- Allows launch an ubuntu id
ami-0971b6ff39e964529
namedubuntu/images/hvm-ssd/ubuntu-jammy-22.04-arm64-server-20240119.1
owned by acct099720109477
- Blocks launch of a Centos 9 stream AMI
ami-0b2e9fef7a3024ce6
from looking around on marketplace - Allows launch of amazonlinux2023 id
ami-0f93c02efd1974b8b
namedal2023-ami-2023.3.20240219.0-kernel-6.1-arm64
by owner137112412989
- Allows launch an ubuntu id
-
switch to
lab2024
acct- Allows launch of amazonlinux2023 id
ami-0f93c02efd1974b8b
namedal2023-ami-2023.3.20240219.0-kernel-6.1-arm64
by owner137112412989
aws ec2 run-instances \ --image-id ami-0f93c02efd1974b8b \ --count 1 \ --instance-type t4g.nano \ --security-group-ids sg-0afe189dbba7fc8df \ --subnet-id subnet-06bda357a91d1e5c1 \ --tag-specifications "ResourceType=instance,Tags=[{Key=Name,Value=cli-test-shared-ami-$(date '+%Y-%m-%d_%H-%M')}]" \ --ebs-optimized \ --credit-specification CpuCredits=standard \ --no-associate-public-ip-address
- Blocks launch of a Centos 9 stream AMI
ami-0b2e9fef7a3024ce6
from looking around on marketplace
aws ec2 run-instances \ --image-id ami-0b2e9fef7a3024ce6 \ --count 1 \ --instance-type t4g.nano \ --security-group-ids sg-0afe189dbba7fc8df \ --subnet-id subnet-06bda357a91d1e5c1 \ --tag-specifications "ResourceType=instance,Tags=[{Key=Name,Value=cli-test-shared-ami-$(date '+%Y-%m-%d_%H-%M')}]" \ --ebs-optimized \ --credit-specification CpuCredits=standard \ --no-associate-public-ip-address An error occurred (UnauthorizedOperation) when calling the RunInstances operation: You are not authorized to perform this operation. User: arn:aws:sts::xxxxxxxx6393:assumed-role/aw24-OrganizationAccountAccessRole/tp24 is not authorized to perform: ec2:RunInstances on resource: arn:aws:ec2:us-east-1::image/ami-0b2e9fef7a3024ce6 with an explicit deny in a service control policy. Encoded authorization failure message: xhYtMpsMnGip0CHHK7AoQWCr3IupTgFTr6a1tg9YMTePjLJosjp3IYvTffbPyZxPgW6BuCA7nkx8AtHIPlCwrdJ6JA6C3On3Oadwci1hl0aIlVWk05kmbOp7RlLwExLtfck_JTg1fWL9ruxgGRAl5NgTRkVfl1GWY41cWcgbJl4rcw8Fu0lmZ4MpXM9avdL70hAk1yT-HhyDnGoxDsGW0GJSc3RLxZe37b7-3ooBzXqH_kuNoIxVeXzcIDMBEAvB_pUILdHo5QO5gWIcZT_ePljK8p5ZYHq9kVAcOQwnScucTH7GfSBV6iZUhujAio30ctgSoG7ChJZIB1tgq43uRO4Ljg4ljttABsA6CNXaTghWiQZuZhtfblRef9oSwfaMGZHEgWAwWO73w1bUaM2bQspCFVMXwLdzs2aEaIrRz4p_6DwGudpeKUGC50HrJkdv9iZdrHoLiTplLU6vauvpz7VpzFdqq93aZFBt71AKQjTEZuTwFdVmi44GB5LT6joOPDw7_q1L1XOyo04AREXxeaG6IewkszkQmvgDjFgTfzTciEAnn6K3F5cCN3LGJQ3bRpU7h8Wuca8gfJLrnJvMt235R_3VLyl7luqSoGsYp4bmRNFqN8n4LDz2is63_axIs81sIKbWdNRnyF3As-8tlpcGVdNwFSlbcC61qca02PjeroPhzhKOIdbBt5DPVYzAT4gB3s3lYDRScF2IU6NsFgMMl6gRic6tdxeG-2Oi4JSDPIRHdQ4qwnQ__kvfqw6OkXc0_Zh1v6ao2eGvWcHKOezu
- Allows launch of amazonlinux2023 id
- Lets now set the policy to only allow run-instance of AMIs owned by
image-factory
acct like such:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyNonEnterpriseAMIAccess",
"Effect": "Deny",
"Action": [
"ec2:RunScheduledInstances",
"ec2:RunInstances"
],
"Resource": "arn:aws:ec2:*::image/ami-*",
"Condition": {
"StringNotEquals": {
"ec2:Owner": [
"xxxxxxxx3352"
]
}
}
}
]
}
- Now in
lab2024
child acct try and launch al2023 image again and it is indeed BLOCKED
[cloudshell-user@ip-10-130-89-93 ~]$ aws ec2 run-instances --image-id ami-0f93c02efd1974b8b --count 1 --instance-type t4g.nano --security-group-ids sg-0afe189dbba7fc8df --subnet-id subnet-06bda357a91d1e5c1 --tag-specifications "ResourceType=instance,Tags=[{Key=Name,Value=cli-test-shared-ami-$(date '+%Y-%m-%d_%H-%M')}]" --ebs-optimized --credit-specification CpuCredits=standard --no-associate-public-ip-address
An error occurred (UnauthorizedOperation) when calling the RunInstances operation: You are not authorized to perform this operation. User: arn:aws:sts::590183926393:assumed-role/aw24-OrganizationAccountAccessRole/tp24 is not authorized to perform: ec2:RunInstances on resource: arn:aws:ec2:us-east-1::image/ami-0f93c02efd1974b8b with an explicit deny in a service control policy. Encoded authorization failure message: U5cQk33q8HlpjVoQhR-yRjwuJqoDX3yGHmIjB-eYjNFcmoTzLhyVBXfvaFfMblLC0oX3OvtUEAwbxDXi4DYRzQy4KyVVTvIH9D8C2oqoU-LbajqMDMrcG_EZwFe_aYm5Ez6o8vVnrKM0smUfkB4RztM9LlY-HmwZfnR9YoIAmJuR9UnT6Ydp0lN0VE2yTpauUyF1IHoOQ5ueGhpPDgW9wLeKQNLbqYQ0mOzn_6uZqK9N9nd0HROYOi3WN0ZwSbS-GbV9ClhXT--i5S7OZlK1_ZZKtwN3MY_0wJFP20UQRkoVIwAsdUa7aFMq9B38mlbAUNl-et9wozFAgSPPdQcOuq5xVipjSbptZYcOZu6NLJqJlvblEO9cZG9ApXu89sxPP1rY7JvFCtfl9QkimIB7-VB2iMspLvPwxJLfGxjloON66AHZuM5K_lkM6aPwUQuYE9BeQjpwTZmWSrkNa_zUv8asgA6Ceek3pcF0kkywESl9RnMQGlH7I97Gex-Pr1UFCtwr7-i1nyb4uudxOp2PGGoboeVozedQqJ3NaNLsPH7eojeBUncipEjVVY4YlsD_3hMJ4KHd8hgp-TpdvboS3ZlF0wGx34qzTk18MyTgMkbX2yvsitsLRzjm1n5V_XdH4AqOLhqVi_ZDQiakvKrzzPr6O-Z4GUJZ7r84hjjTVQqW_BNTCNfCiim4AtcrNcz95uDPOYkeOBa62yu2LrzjAiMbvkyhS9exm0naU_vGirhhGhmozH_cphv5a0nrLJ--iG-lBj1zAvKnaL91opvsMm1wfQkkb30m09QzdMg3ew
- in
lab2024
lets launch our shared AMI from testing in past week and SUCCESS as its owned byimage-factory
acctxxxxxxxx3352/tp-al2023-2024-02-17
aws ec2 run-instances \
--image-id ami-0b2e9fef7a3024ce6 \
--count 1 \
--instance-type t4g.nano \
--security-group-ids sg-0afe189dbba7fc8df \
--subnet-id subnet-06bda357a91d1e5c1 \
--tag-specifications "ResourceType=instance,Tags=[{Key=Name,Value=cli-test-shared-ami-$(date '+%Y-%m-%d_%H-%M')}]" \
--ebs-optimized \
--credit-specification CpuCredits=standard \
--no-associate-public-ip-address
- Jump back to
image-factory
acct for sanity check that we now CANNOT launch other AMIs- launch the al2023 again and errors
You are not authorized to perform this operation. User: arn:aws:sts::xxxxxxxx3352:assumed-role/aw24-OrganizationAccountAccessRole/tp24 is not authorized to perform: ec2:RunInstances on resource: arn:aws:ec2:us-east-1::image/ami-0f93c02efd1974b8b with an explicit deny in a service control policy.
- launch the self owned AMI
058264393352/tp-al2023-2024-02-17
from testing other day and WORKS FINE per SCP
- launch the al2023 again and errors