DEV Community

David Krohn
David Krohn

Posted on • Originally published at globaldatanet.com

SCP Best Practices

What is an SCP?

Service Control Policies (SCPs) offer central access controls for all IAM entities in AWS accounts.
You can use them to enforce the permissions you want everyone in your business to follow or to be compliant with specific laws which you need to follow (eg.: you can deny regions or services to be DSGVO compliant). If you want to use SCPs you need to create and apply those SCPs through AWS Organizations - SCPs
can be assigned to AWS accounts or Organizational Units (OUs).

Alt Text

Something you should know about SCPs:

❗️ The Master account of the Organization can't be restricted by using SCPs.
❌ SCPs cannot restrict principals outside of the Organization.
⚠️ SCPs are similar to IAM boundaries.

In the following section I will introduce some of my and AWS SCP - Best Practices which I am using.
This SCPs will help you to secure your accounts and resources - plus it will help you to avoid unnecessary costs.

Avoid unnecessary costs

Deny creation of expensive services

When using an Organization, expensive services should be deployed centrally and shared with all accounts eg. private ACM. That way you can save some costs.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DenyACM",
            "Effect": "Deny",
            "Action": [
                "acm-pca:CreateCertificateAuthority",
                "acm-pca:DeleteCertificateAuthority",
                "acm-pca:CreatePermission",
                "acm-pca:DeletePermission",
                "acm-pca:DescribeCertificateAuthorityAuditReport",
                "acm-pca:RestoreCertificateAuthority",
                "acm-pca:TagCertificateAuthority",
                "acm-pca:UntagCertificateAuthority"
            ],
            "Resource": [
                "*"
            ],
            "Condition": {
                "StringNotLike": {
                    "aws:PrincipalArn": "arn:aws:iam::*:role/AWS-CentralCostTeam"
                }
            }
        }
    ]
}

Enter fullscreen mode Exit fullscreen mode

Deny purchasing of reserved instances

When using an Organization and your company need to manage reserved instances centrally you should limit the permissions to one team, which ensures that the reserved instances are fully used.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DenyAccessToRI",
            "Effect": "Deny",
            "Action": [
                "ec2:PurchaseReservedInstancesOffering",
                "ec2:AcceptReservedInstancesExchangeQuote",
                "ec2:CancelCapacityReservation",
                "ec2:CancelReservedInstancesListing",
                "ec2:CreateCapacityReservation",
                "ec2:CreateReservedInstancesListing"
            ],
            "Resource": [
                "*"
            ],
            "Condition": {
                "StringNotLike": {
                    "aws:PrincipalArn": "arn:aws:iam::*:role/AWS-CentralCostTeam"
                }
            }
        }
    ]
}


Enter fullscreen mode Exit fullscreen mode

Deny creation of savings plans

The same procedure applies for savings plans as for reserved instances in an Organization.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DenyAccessToCreateSavingsPlans",
            "Effect": "Deny",
            "Action": [
                "savingsplans:CreateSavingsPlans"
            ],
            "Resource": [
                "*"
            ],
            "Condition": {
                "StringNotLike": {
                    "aws:PrincipalArn": "arn:aws:iam::*:role/AWS-CentralCostTeam"
                }
            }
        }
    ]
}
Enter fullscreen mode Exit fullscreen mode

Secure resources and accounts

Deny all SCP

If your account gets compromised it is recommended to have a deny all SCP to protect your data. This SCP is attached to a quarantine OU, which prohibits every action in the compromised account.

{    
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Quarantine",
      "Effect": "Deny",
      "Action": "*",
      "Resource": "*"
    }
  ]
}
Enter fullscreen mode Exit fullscreen mode

Region enforcement

You need to be sure that your company just uses one region?! The following policy will enforce that your member accounts are using the specified region.
⚠️ You need to define the global services in the NotAction otherwise the accounts are not able to use them.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "RestrictToOneRegion",
            "Effect": "Deny",
            "NotAction": [
                "a4b:*",
                "artifact:*",
                "aws-portal:*",
                "budgets:*",
                "ce:*",
                "chime:*",
                "cloudfront:*",
                "cur:*",
                "datapipeline:GetAccountLimits",
                "directconnect:",
                "globalaccelerator:*",
                "health:*",
                "iam:*",
                "importexport:*",
                "mobileanalytics:*",
                "organizations:*",
                "resource-groups:*",
                "route53:*",
                "route53domains:*",
                "s3:GetBucketLocation",
                "s3:ListAllMyBuckets",
                "shield:*",
                "support:*",
                "tag:*",
                "trustedadvisor:*",
                "waf:*",
                "wellarchitected:*"
            ],
            "Resource": "*",
            "Condition": {
                "StringNotEquals": {
                    "aws:RequestedRegion": [
                        "eu-central-1"
                    ]
                }
            }
        }
    ]
}
Enter fullscreen mode Exit fullscreen mode

⚠️ If you want to use Lambda@Edge you need to add also the service lambda:* to NotAction.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "RestrictToOneRegion",
            "Effect": "Deny",
            "NotAction": [
                "lambda:*"
            ],
            "Resource": "*",
            "Condition": {
                "StringNotEquals": {
                    "aws:RequestedRegion": [
                        "eu-central-1"
                    ]
                }
            }
        }
    ]
}
Enter fullscreen mode Exit fullscreen mode

Secure Security-Baseline: Deny ability to disable GuardDuty

GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior in you accounts. In an Organization you should use a master account and connect member accounts to it. The following policy ensures it can’t be turned off, the member can't be disassociated from the master or that a user can't create sample findings.

  {
      "Effect": "Deny",
      "Action": [
        "guardduty:DeleteDetector",
        "guardduty:CreateSampleFindings",
        "guardduty:DisassociateFromMasterAccount"
      ],
      "Resource": "*",
      "Condition": {
        "StringNotLike": {
          "aws:PrincipalArn": "arn:aws:iam::*:role/StackSet-GuardDuty-Member-LambdaExecutionRole*"
        }
      }
    }
Enter fullscreen mode Exit fullscreen mode

Secure Security-Baseline: Deny ability to disable Config

Config is a service to audit and evaluate the configurations in your accounts.
The following SCP prevents users or roles to disable or alter Config, except the specified role which is needed for a Lambda to enable and configure Config in all regions.

{
      "Effect": "Deny",
      "Action": [
        "config:DeleteConfigurationRecorder",
        "config:DeleteDeliveryChannel",
        "config:StopConfigurationRecorder",
        "config:PutDeliveryChannel",
        "config:StartConfigurationRecorder"
      ],
      "Resource": "*",
      "Condition": {
        "StringNotLike": {
          "aws:PrincipalArn": "arn:aws:iam::*:role/StackSet-Enable-Config-*"
        }
      }
    }
Enter fullscreen mode Exit fullscreen mode

Secure Security-Baseline: Deny leaving the Organization

Secure your Organization that no accounts can leave your Organization, where they would no longer be restricted by your SCPs.

{
    "Version": "2012-10-17",
    "Statement": {
        "Effect": "Deny",
        "Action": "organizations:LeaveOrganization",
        "Resource": "*"
    }
}
Enter fullscreen mode Exit fullscreen mode

Deny root access

AWS recommends a SCP for denying use of the root user. The following policy enforces that the root user can't be used.

{
  "Version": "2012-10-17",
  "Statement": {
    "Sid": "DenyRootUser",
    "Effect": "Deny",
    "Action": "*",
    "Resource": "*",
    "Condition": {
      "StringLike": { "aws:PrincipalArn": "arn:aws:iam::*:root" }
    }
  }
}
Enter fullscreen mode Exit fullscreen mode

How to test SCPs or how to handle SCPs without breaking things?

Lets start with the bad news, unfortunately there is no audit mode for SCPs, but you can use the API - GetOrganizationsAccessReport from the IAM Access Advisor to identify unused services. This API will help you to see whether services are used in an account or OU. I always use a separate OU to test new SCPs by moving a test account to see, if my SCP works as desired.

Top comments (0)