Allow access to delete guardduty detector and publishing location

Question

Allow access to delete guardduty detector and publishing location

barrjam opened this issue 3 years ago · 3 comments

We have an account without the Landing Zone 5295-4528-9482 where we want to configure GuardDuty.

We do not have access to delete the guardduty detector and publishing location
(I think - not sure - we had access to set the guardduty detector and publishing location)
The Policy Simulator implies that this is due to an SCP that denies access.

Suggested solution, confirmed by Austin, is to move the account to an OU where this specifc SCP is not applied.

Answer 1 · 2021-11-29T09:45:54.000Z

SCP LandingZonePolicies has been removed from the \Security\CertEU OU and is now applied directly on \Security\DigitS OU

Answer 2 · 2021-11-29T09:48:09.000Z

@barrjam : please test and come back to us

Answer 3 · 2021-11-30T14:22:28.000Z

Yes, that seems to work. Many Thanks :-)