Managing Cloud Rules on OUs


The Cloud Rules section on an OU allows you to manage cloud rules on the selected OU. When you attach a cloud rule to an OU, it will apply the cloud rule to all projects directly attached to the OU and all projects directly attached to all child OUs, all the way down the organization structure. This allows you to manage a set of rules from a single place.

Where To Manage Cloud Rules on OUs

To access the Cloud Rules section of an OU:

  1. In the left navigation menu, click OUs.
  2. Click the name of the OU for which you'd like to manage cloud rules.
  3. Click the Cloud Management tab. The Cloud Rules sub-tab will show by default.

On this screen, you can view information about cloud rules and their origin and status. You can also:

Create A New Cloud Rule and Apply It To This OU

To add a new cloud rule and apply it to the OU:

  1. Click the ellipsis menu in the upper right corner of the Cloud Rules box.
  2. Click Create new cloud rule. You can view the Add a Cloud Rule page for guidance on creating the cloud rule. Once you click Create Cloud Rule at the bottom of the cloud rule creation form, it will automatically be applied to the OU that you started from.

Add An Existing Cloud Rule To This OU

  1. Click the ellipsis menu in the upper right corner of the Cloud Rules box.
  2. Click Add existing cloud rule, select a cloud rule from the drop-down menu that displays, and click Confirm Selection. The cloud rule you selected is now applied to this OU.

Remove A Cloud Rule From This OU

The following steps will remove a cloud rule from an OU (it will NOT delete it from entirely; see Delete a Cloud Rule for instructions on how to do that).

  1. Click the caret next to the cloud rule name to expand its info.
  2. Click the ellipsis menu next to the Status column in the newly-expanded row.
  3. Click Remove from the drop-down menu. If the remove option does not appear, the cloud rule may not be applied locally. To remove the effects of an inherited cloud rule you'll need to request a cloud rule exemption.

Cloud Rule Effects

When a cloud rule is applied to an OU, the following actions occur on all projects below:

  • All AWS IAM policies on the cloud rule will apply to all the cloud access roles (IAM roles) on the projects. When AWS IAM policies are stacked, they follow the AWS IAM policy evaluation. This is powerful because any policies with the Deny effect will take precedence over any policies with the Allow action. This allows you to use policies with a Deny effect and a Not Action key to limit which services are allowed, even if an administrative policy is applied to the same IAM role. These IAM policies will not affect other roles that exist in the AWS account that are not managed by
  • The pre-rule webhook and the post-rule webhook will trigger on each AWS account on the project.
  • Each AWS CloudFormation template on the cloud rule will apply (in order) on the AWS accounts attached to the projects. If any of the templates fail, they will stop execution and will show up on the OU Diagnostics screen which can be accessed from the ellipsis menu on the OU card. You can use these to baseline the AWS accounts with templates that set up CloudTrail and config, or do anything else in the account that you need.
  • All AWS AMIs will be shared with the AWS accounts attached to the projects.
  • All AWS service catalog portfolios will be shared with the AWS accounts attached to the projects.
  • All Azure role definitions on the cloud rule will be merged with the role definitions on each of the cloud access roles on child projects into a single role definition for each cloud access role. This is powerful because the "notActions" sections of the Azure roles will work across roles so you can deny specific permissions even if someone gives themselves a role which might allow them to perform some action.
  • Each Azure ARM template will create the resource group mentioned in the ARM template definition if it does not exist, then apply the ARM template to that resource group for every Azure subscription on every project under this OU. This happens in order of the ARM templates listed on the cloud rule.
  • All Azure policies on the cloud rule will apply to every Azure subscription in child projects.

If there is more than one cloud rule applied to a project, there is no guarantee to the order of execution. Inside of a cloud rule, the only guaranteed ordering is: pre-rule webhook, CloudFormation templates, post-rule webhook. The remainder of the items will all apply at the same time.

Was this article helpful?
0 out of 0 found this helpful