Edit me

Onboarding to nOps with Service Control Policies (SCP)

As cloud security becomes more of a concern, the adoption of Control Tower and Service Control Policies (SCP) has increased substantially. Because of their nature, SCPS can inhibit nOps from viewing necessary resource information to make cost optimization recommendations. It can also impact visibility capabilities, such as looking at resource tags.

Our recommendation is to add an exception for the nOps role(s) to be ignored by the SCPs.

This can be done by adding an ArnNotLike statement for the Nops-Integration role name with a wildcard.

            "Resource": "*",
            "Condition": {
                "StringNotEquals": {
                    "aws:RequestedRegion": [
                        "eu-central-1",
                        "eu-west-1"
                    ]
                },
                "ArnNotLike": {
                    "aws:PrincipalARN": [
                        "arn:aws:iam::*:role/StackSet-nOps-Integration*",
                        "arn:aws:iam::*:role/Nops-Integration*"
                    ]
                }
Managing Karpenter Configurations With nOps IaC support
Managing Resources With Karpenter GitOps Support
Configuring ASGs by Tag
nOps Copilot-Managed ASGs
Compute Copilot For ASG Support Matrix
Onboarding your Autoscaling Groups to nOps Compute Copilot
Onboarding your Autoscaling Groups to nOps Compute Copilot via Stackset
Compute Copilot for ECS
Onboarding your EKS clusters to Copilot for EKS Cluster Autoscaler
EKS Insights Dashboard
Compute Copilot for EKS - Karpenter Beta Support
Onboarding your EKS clusters to Compute Copilot for EKS Karpenter
Minimum IAM permissions for the nOps platform
IAM permissions for the nOps platform
IAM permissions for Essentials
Commitment Management Permissions
Offboarding from the nOps platform
Onboarding AWS Accounts to nOps with Terraform
Onboarding Multiple AWS Linked Accounts with CloudFormation
Onboarding AWS with Automatic Setup
Onboarding AWS with 1-click CloudFormation
AWS SSO Integration
Azure SSO Integration
SSO Integration
Okta SSO Integration
OneLogin SSO Integration
Back to top       Home