I am trying to use AWS Service Control Policy (SCP) on an Organization account and prevent users from the management account from deleting any S3 bucket except for a specific IAM User who is allowed to delete the S3 bucket.
I have implemented this policy below and specified the 'Condition' to only allow specific IAM user (via aws:username) from deleting the S3 bucket. However, I am finding that this 'Condition' is not working as expected as if the user 'BobSmith' tries to delete an S3 bucket via the AWS S3 dashboard, he gets a 'Permission Denied' message
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Deny",
"Action": [
"s3:DeleteBucket"
],
"Resource": [
"*"
],
"Condition": {
"StringNotEqualsIfExists": {
"aws:username": [
"BobSmith"
]
}
}
}
]
}
The user 'BobSmith' logs into the Management Account and then uses 'Switch Role' to login to the Organization Unit (OU) account and then tries to delete a bucket from S3.
My understanding is that the above policy 'should' Deny anyone the ability to delete any S3 bucket EXCEPT for IAM User BobSmith but so far, BobSmith is not able to delete any S3 bucket.
Have I not understood the above policy correctly? am I missing something or doing something incorrectly? I would appreciate any pointers. Thanks.