AWS SCP Catalog
When AWS reports errors that are due to violating a Service Control Policy (SCP), the SCP is typically mentioned by ARN or ID. The problem is that SCP catalog — accessed by AWS Organizations > Policies > Service control policies — identifies the policies by name, not ID or ARN. Here’s how to avoid clicking through each policy to see if the name matches the correct ID.
For purposes of this article, I need to assume that you have
- the appropriate level of Administrative access to an AWS Organization,
- enabled one or more SCPs, via Control Tower or perhaps even manually,
- API access to the Organization’s management account,
- the
awscommand-line utility configured to use that API access, - the
jqutiility available in your shell environment.
If so, here are the two shell scripts I run to retrieve our organizational SCPs in a form I can inspect and compare with error messages. These script would probably be more elegant in Python, but shell works for me.
First off, I collect all current SCPs into a file I call policynames.json:
aws organizations list-policies \
--filter SERVICE_CONTROL_POLICY > policynames.json
Each stanza in the JSON file will provide metadata for a policy: Id, Arn, Name, Description, etc. This makes it possible to map IDs to names easily.
Second, I write each policy to a JSON file with the SCP’s ID as the file’s base name.
cat policynames.json | jq -r '.Policies[].Id' | while read POLID; do
aws organizations describe-policy \
--policy-id "$POLID" --query 'Policy.Content' --output text |\
jq . > "${POLID}.json"
done
Each individual file will contain the policy. With the policies available in readable JSON, identifying the conflict becomes much easier.
I use jq to de-quote and format the raw aws responses. Without it, the output is much harder to read.