AWS Service Control Policies (SCPs)
AWS Service Control Policies (SCPs) provide organization-wide governance and permission boundaries for AWS accounts within AWS Organizations.
ā
Key Characteristics of SCPs
SCPs do not grant permissions; they only restrict what IAM users, roles, and groups can do.
Applied at the account or Organizational Unit (OU) level, not to individual IAM users or roles.
Useful for compliance, security enforcement, and cost control.
š Common SCP Use Cases & Examples
1ļøā£ Restricting AWS Services
Use Case: Prevent usage of unauthorized AWS services in specific AWS accounts. ā Helps enforce compliance by blocking non-approved services. ā Ensures developers only use approved services for workloads.
2ļøā£ Preventing IAM User & Role Creation
Use Case: Ensure IAM roles and users can only be created in the management account. ā Avoids security risks from uncontrolled IAM roles. ā Prevents unauthorized IAM role escalation by developers.
3ļøā£ Blocking Public S3 Buckets
Use Case: Prevent developers from making S3 buckets public, ensuring sensitive data remains secure. ā Prevents accidental exposure of S3 objects. ā Ensures compliance with security policies by enforcing bucket-level security.
4ļøā£ Enforcing AWS Region Restrictions
Use Case: Restrict AWS resource creation to approved regions (e.g., only allow us-east-1 and eu-west-1).
ā
Helps with data residency compliance (e.g., GDPR).
ā
Prevents unauthorized deployment in high-cost or restricted regions.
5ļøā£ Preventing CloudTrail Log Deletion
Use Case: Ensure audit logs remain intact by blocking deletion of CloudTrail logs. ā Prevents malicious log deletion that could cover up security incidents. ā Ensures compliance with audit and regulatory requirements.
6ļøā£ Preventing Root User Actions
Use Case: Restrict AWS root user actions to prevent unauthorized changes. ā Enhances security by reducing root account usage. ā Encourages IAM role-based access control instead of root access.
7ļøā£ Enforcing Encryption on All AWS Storage Services
Use Case: Ensure all stored data is encrypted at rest across S3, RDS, and EBS. ā Helps meet compliance and security best practices. ā Ensures data confidentiality by enforcing encryption.
8ļøā£ Enforcing AWS Config for Compliance Monitoring
Use Case: Ensure AWS Config is enabled across all accounts to track resource changes and compliance. ā Helps with security audits and compliance reporting. ā Ensures resources are continuously monitored for misconfigurations.
Implementation Considerations:
Apply SCPs to enforce AWS Config in all accounts.
Combine with AWS Config rules to detect and remediate non-compliant resources.
Use AWS Config Aggregator in the management account to collect compliance data across all accounts.
ā Example Scenario: A company wants to enforce encryption on all S3 buckets across its AWS Organization. They implement an AWS Config rule that checks for S3 bucket encryption and an SCP that prevents disabling AWS Config.
š Best Practices for SCP Implementation
ā Apply SCPs at the Organizational Unit (OU) level for better manageability. ā Use Allow/Deny strategically to enforce security while avoiding disruption. ā Test SCPs before applying them using the IAM Policy Simulator. ā Combine SCPs with IAM Policies for fine-grained access control. ā Monitor SCP enforcement using AWS Organizations logs.
š Common Mistakes
ā Overly restrictive SCPs blocking essential services. ā Applying SCPs without testing, leading to broken workflows. ā Forgetting that SCPs do not grant permissions (IAM policies are still required). ā Not applying SCPs at the Organizational Unit (OU) level, leading to inconsistency.
š Summary
š AWS Service Control Policies (SCPs) provide centralized governance for AWS accounts, enabling security, compliance, and cost management. ā Restrict IAM role creation to prevent privilege escalation. ā Block public S3 bucket access for data security. ā Prevent CloudTrail deletion to ensure auditability. ā Restrict AWS service usage to avoid unnecessary costs. ā Enforce encryption across AWS storage services for compliance. ā Ensure AWS Config is enabled to track compliance and security changes.
Last updated