Enhancing AWS Security with Service Control Policies (SCPs)

Overview

In today’s cloud-centric world, managing permissions and ensuring security across multiple AWS accounts can be daunting. AWS Organizations provides a powerful feature called Service Control Policies (SCPs) that allows you to manage and enforce permissions across your entire organization centrally. In this blog post, we’ll explore how to implement SCPs to control access to AWS services and resources across different accounts within your AWS Organization.

Service Control Policies (SCPs)

Service Control Policies (SCPs) are a type of policy that you can use to manage permissions in your AWS Organization. SCPs allow you to set permission guardrails, defining the maximum permissions that AWS IAM users and roles in your organization can have. It’s important to note that SCPs do not grant permissions themselves; instead, they limit the permissions that identity-based and resource-based policies can grant.

Setting Up AWS Organizations

Before you can implement SCPs, you need to set up AWS Organizations. AWS Organizations allows you to consolidate multiple AWS accounts into a single organization that you can centrally manage. Here’s how to get started:

1. Create an AWS Organization: If you haven’t already, create an AWS Organization from the AWS Management Console.
2. Enable All Features: Ensure your organization has all features enabled, as SCPs are only available in organizations with all features enabled.
3. Create Organizational Units (OUs): Organize your accounts into OUs based on your business structure or security requirements.

Creating and Attaching SCPs

Once your AWS Organization is set up, you can create and attach SCPs to your OUs or individual accounts. Follow these steps:

Step 1: In AWS Console, Search “AWS Organization”

Step 2: Go into policies and click on “Create policy”

Step 3: Give a name to the policy and write a policy description.

Step 4: Write a policy in the given section.

Define Your SCP: Write the SCP in JSON format. SCPs use the same syntax as AWS IAM policies. Here’s an example SCP that denies access to specific AWS regions:

This will allow resource creation only in the Mumbai region. This policy stops actions in any region except for ap-south-1 and ap-south-2. It will be denied if you try to do something outside of these two regions.

Step 5: After writing a policy, click on Create Policy, and then you can see as below:

Step 6: Recheck and verify before applying it on the account level

Attach the SCP: Attach the SCP to the appropriate OU or account. You can do this from the AWS Management Console.

Step 7: As shown below, you can apply policies at the targeted account and root levels. Applying on root will automatically apply on all the accounts that come under it.

Step 8: Apply the policy successfully.

Testing and Monitoring SCPs

It’s crucial to thoroughly test your SCPs before applying them broadly. AWS recommends creating a test OU and moving accounts into it one at a time to ensure that the SCPs do not inadvertently block necessary permissions. Additionally, you can use AWS CloudTrail and AWS IAM Access Analyzer to monitor and analyze the effects of your SCPs.

Best Practices for SCPs

Here are some best practices to keep in mind when implementing SCPs:

• Start with a Deny List: Begin with a deny list policy strategy to block unwanted actions and services.
• Use Service Last Accessed Data: Utilize service last accessed data to refine your SCPs and ensure they only restrict necessary services.
• Regularly Review and Update SCPs: Periodically review and update your SCPs to adapt to changing business and security requirements.

Conclusion

Following the steps outlined in this blog post, you can effectively control access to AWS services and resources, helping your organization stay within its access control guidelines.

Drop a query if you have any questions regarding Service Control Policies and we will get back to you quickly.

About CloudThat