Lets Learn about AWS SCP

Feb 10, 2024 · 2 min.
AWS

AWS SCP

Part of the AWS series:

  1. Hosting a Static Website on AWS with Hugo and Terraform
  2. Getting Started with AWS Container Services: A Beginner's Guide
  3. Managing Amazon ECR with Terraform: A Step-by-Step Guide
  4. Reducing Costs and Enhancing Security with Amazon VPC Endpoints
  5. Lets Learn about AWS SCPThis post!

What are SCP ? Link to this heading

SCP permissions are crucial guardrails within AWS environments, serving as intersections of identity policies, resource policies, and permission boundaries. These permissions are specific to principals within your organization. When dealing with resources outside your AWS organization, AWS Resource Policies can be employed to restrict access effectively.

To implement effective SCP policies, it’s vital to align the right controls with the right guardrails:

Crafting effective SCP policies involves several key strategies: Link to this heading

  1. Utilize Inheritance: SCPs can be set to allow or deny actions within your organization. Deny policies set at the root level propagate down to OUs and accounts, while allow policies at the root level necessitate explicit allowances at each level. There’s no implicit allow; each level must be explicitly defined.

  2. Combine Policies: There’s a limit of 5 SCPs per root, OU, or account. Combining policies efficiently is essential. By default, accounts have full access, but this doesn’t imply unrestricted permissions. It indicates the absence of guardrails set by SCPs, leaving permission control to identity, resource policies, and permission boundaries.

  3. Compact Policies: SCP policies have a maximum size limit of 5120 bytes. Keeping policies concise and focused ensures efficient management and avoids exceeding this limit.

Here are five essential SCP policies: Link to this heading

  1. Prevent Organization Departures: Centralize security and audit functions across all accounts, simplifying management and access control while optimizing costs.
  2. Restrict AWS Region Usage: Allow only approved AWS regions for deployment and resource allocation.
  3. Disable Root User: Prevent the usage of the root user account to enhance security posture.
  4. Safeguard Security Services: Prohibit the disabling of critical security services to maintain a secure environment.
  5. Secure Sensitive S3 Buckets: Implement measures to protect sensitive data stored in AWS S3 buckets.

AWS Organization housekeeping Link to this heading

  1. Manage all the phases of account lifecycle through code
    • createaccount and closeaccount permssion are only avaiable to automation prinicpals.
  2. Pipeline to deploy the scp changes
  3. Organization membership by creation not by invitations
  4. Member account cannot leave or removed from organization
  5. Permission like leaveOrg, InviteOrg or Removeorg are permantly blocked via permission boundary
  6. Never make use of FullAWSAccess at account level and explicitly allow services per account
  7. Make use of single baseline scp attached to all accounts to enable automation ,security and operational controls.
  8. Use SCP to deny exfiltration
  9. Allow changes to scp through OU memberships and disable all action on locked or dicommisioned OU

Implementing and maintaining these SCP policies ensures a robust security posture and compliance within your AWS environment.