Preventing AWS Resource Access Manager (RAM) Resource Shares with SCP Policies | AWS Certified SysOps Administrator - Associate

Preventing Resource Shares in RAM with SCP Policies

Question

You have found that a team member uses AWS Resource Access Manager (RAM) in his AWS account to share resources with IAM users outside of the AWS Organization.

You want to apply an SCP policy in the AWS Organization to prevent users from creating such resource shares in RAM.

Which of the following SCP policies would you use?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Correct Answer: C.

Option A is incorrect because the SCP should disallow users to share resources externally in RAM.

The effect of the policy should be "Deny" instead of "Allow".

Option B is incorrect because the action should not be "ram:*" and the effect should not be "Allow".

Option C is CORRECT because the policy denies the actions of creating/updating resource shares in RAM on the condition that the resource shares are for external principals outside of the AWS Organization.

Option D is incorrect because the action should not be "ram:*" as it denies all RAM actions.

The "Resource" of "AWS:Organization" is also incorrect.

Reference:

https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples_ram.html

Sure, I'd be happy to explain each of the SCP policies and help you identify the one that would best fit your scenario.

First, let's understand the context of the scenario. Your team member is using AWS Resource Access Manager (RAM) to share resources with IAM users outside of the AWS Organization. You want to prevent this behavior by applying an SCP policy in the AWS Organization.

An SCP (Service Control Policy) is a type of AWS policy that allows you to control what actions can be taken within your AWS accounts and across your AWS Organization. SCPs are used to set permissions at the organization level to prevent the creation of resource shares in this scenario.

Now, let's examine each of the policy options you have been given and see which one would best fit your scenario:

A. { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ram:CreateResourceShare", "ram:UpdateResourceShare" ], "Resource": "*", "Condition": { "Bool": {"ram:RequestedAllowsInternalPrincipals": "true" } } } ] }

This policy allows the actions "CreateResourceShare" and "UpdateResourceShare" in RAM for resources where the "RequestedAllowsInternalPrincipals" attribute is set to true. However, this policy does not prevent resource sharing with IAM users outside of the AWS Organization.

B. { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ram:" ], "Resource": "", "Condition": { "Bool": { "ram:AllowsInternalPrincipalsOnly": "true" } } } ] }

This policy allows all actions in RAM for resources where the "AllowsInternalPrincipalsOnly" attribute is set to true. However, this policy does not prevent resource sharing with IAM users outside of the AWS Organization.

C. { "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "ram:CreateResourceShare", "ram:UpdateResourceShare" ], "Resource": "*", "Condition": { "Bool": {"ram:RequestedAllowsExternalPrincipals": "true" } } } ] }

This policy denies the actions "CreateResourceShare" and "UpdateResourceShare" in RAM for resources where the "RequestedAllowsExternalPrincipals" attribute is set to true. This means that resource sharing with IAM users outside of the AWS Organization would be prevented.

D. { "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "ram:*" ], "Resource": "AWS:Organization", "Condition": { "Bool": { "ram:RequestedAllowsExternalPrincipals": "false" } } } ] }

This policy denies all actions in RAM for the AWS Organization resource where the "RequestedAllowsExternalPrincipals" attribute is set to false. This means that resource sharing with IAM users outside of the AWS Organization would be prevented.

Based on your scenario, option C would be the best SCP policy to use, as it specifically denies the actions that allow sharing resources with IAM users outside of the AWS Organization.