I'm working for a company that has over 200 clients, and we're trying to set up an AWS cross-account backup Service Control Policy (SCP) for each client. The challenge is that each client has multiple accounts, and I want them to back up only within their own customer Organizational Unit (OU). For instance, an account for customer1 in dev should be allowed to copy its backups to customer1's prod account, but not to customer2's accounts. I'm new to this, so I'm hoping to explain it clearly, but I understand there's a risk with wildcards that could let anyone back up to anyone's account. I'm looking for guidance on how to dynamically apply these policies for each client. Thanks in advance!
1 Answer
Hey there! Just a heads up, SCPs are typically used to restrict users from performing specific actions, like preventing certain services or blocking IAM user creation. It sounds like you're more interested in explicit backup policies. Maybe you want to look into specifics for RDS or S3 instead? Let me know if I've misunderstood your question or if you can clarify what you're trying to back up!
Thanks for your input! I'm still figuring things out since I just joined a team that uses AWS. We do have a broad SCP allowing everything, but there's a layer of other SCPs that deny certain actions unless you're with a specific customer. Initially, I want to establish an SCP that keeps customer1 from accessing customer2's data once I put the backup policy in place. Does that sound right?