Comments (2)
dfevre
commented on August 13, 2024
👍
from landing-zone-accelerator-on-aws.
erwaxler
commented on August 13, 2024
Hey @richardkeit , thanks for writing this up. I know you mentioned in the linked issue that you narrowed this down to not setting the strategy for the SCP explicitly. I'm reviewing the code, and still am unsure of why that would be occurring.
Specifically I'm looking at this code:
// if SCP strategy is allow-list, then FullAWSAccess policy should be detached
if (strategy === 'allow-list' && fullAwsAccessPolicyAttached) {
console.log('detaching FullAWSAccess policy because the strategy is allow-list');
await detachSpecificPolicy(organizationsClient, 'p-FullAWSAccess', targetId);
}
// if SCP strategy is changed from allow-list to deny list, then FullAWSAccess policy should be attached
if (strategy === 'deny-list' && !fullAwsAccessPolicyAttached) {
console.log('attaching FullAWSAccess policy because the strategy is deny-list');
await attachSpecificPolicy(organizationsClient, 'p-FullAWSAccess', targetId);
}
This is where I would expect the bug to exist. Can you share the logs of the AWSAccelerator-AccountsSt-CustomOrganizationsAttac-cxRdNSFHLylv Lambda function? They may provide more insight on what is leading to the detachment of that policy.
from landing-zone-accelerator-on-aws.
Related Issues (20)
- How to view the logArchive logs in S3 bucket? HOT 2
- Pseudo parameters in config files
- The baseline 'AWSControlTowerBaseline' cannot be enabled on the Security OU* HOT 8
- LZA Pipeline Stuck on Finalize Stage Due to SCP Update Failure HOT 4
- network-config, customisaton-config and replacements-config interfaces are not exported HOT 1
- External Pipeline - failure on fresh account HOT 3
- Issue with cloudwatchLogRetentionInDays parameter
- Breaking change: Using SecurityHub requires enabling AWS Config HOT 1
- Operations stack failure when trying to reapply service quota limits that already exist
- Unable to add backup vault policy
- CodeCommit deprecated HOT 2
- enable maximum session duration for iam roles
- Transit Gateway: setting "defaultRouteTablePropagation: enable" seems to be not working.
- Split Config files into parts
- Broken VPC Flow Logs Dynamic Partitioning
- managed prefix list not supported by transit gateway route table entry.
- Uninstaller Template does not remove all resources
- Upgrade from v1.7.2 to v1.9.0 validation changes
- Error new setup LZA using 1.9.0 version HOT 1
- Support "excludeOus" parameter for Security Services
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from landing-zone-accelerator-on-aws.