Tutorial / Cram Notes
Service Control Policies (SCPs) are a powerful tool for administrators who want to manage permissions in their AWS environment, particularly when using AWS Organizations. SCPs allow you to define the maximum permissions for members of an organization or organizational unit (OU). By implementing SCPs, you can enforce policies to ensure that actions taken across your AWS accounts adhere to your organization’s security and compliance requirements.
For instance, SCPs can be used to enforce limitations on the use of a root account. The root user of an AWS account has full access to all the resources in the account, making it a significant security risk if not properly controlled. With an SCP, you can create a policy that prevents the root user from performing certain actions, such as disabling CloudTrail or terminating EC2 instances.
Example SCP for Denying Root User Actions
Here’s an example SCP that denies the root user the ability to stop logging in CloudTrail:
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Sid”: “DenyRootUserCloudTrailStopLogging”,
“Effect”: “Deny”,
“Action”: “cloudtrail:StopLogging”,
“Resource”: “*”,
“Condition”: {
“StringEquals”: {
“aws:username”: “root”
}
}
}
]
}
By applying this SCP to an organizational unit or the entire organization, you ensure that even the root user cannot stop the CloudTrail logging, enhancing the security of your AWS environment.
AWS Control Tower and SCPs
AWS Control Tower further extends the capabilities of SCPs by providing a way to standardize and automate the setup of a multi-account AWS environment based on best practices. When setting up AWS Control Tower, you define a landing zone that includes not only the multi-account structure but also a set of automated guardrails, which are high-level policy statements that encapsulate best practices for security, operations, and compliance.
These guardrails can be either preventive or detective. Preventive guardrails are essentially SCPs, which prevent certain actions from taking place, ensuring compliance with your policies. For example, there can be a guardrail that ensures MFA is enabled for the IAM root user, which is a preventive measure against unauthorized access:
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Sid”: “RequireMFAForRootUser”,
“Effect”: “Deny”,
“Action”: [
“iam:*”
],
“Resource”: “*”,
“Condition”: {
“BoolIfExists”: {
“aws:MultiFactorAuthPresent”: “false”
},
“StringEquals”: {
“aws:username”: “root”
}
}
}
]
}
On the other hand, detective guardrails are implemented using AWS Config rules, which evaluate the configuration of your AWS resources and notify you if they don’t comply with your defined configurations.
Comparing SCPs and AWS Config Rules
In comparison, let’s look at the differences between SCPs and AWS Config rules, which can be considered when implementing Control Tower guardrails:
Feature | SCPs | AWS Config Rules |
---|---|---|
Type | Preventive Policy Enforcement | Detective Configuration Audit |
Scope | Account/Organizational Level | Resource Level |
Enforcement Point | Before the action is performed | After the action is performed |
Customization | Yes (JSON policy documents) | Yes (AWS Lambda functions) |
Implementing SCPs and AWS Control Tower guardrails requires a well-thought-out strategy that considers both the security requirements of your organization and the need for flexibility and autonomy of individual AWS accounts. By combining SCPs for preventive control with Config rules for ongoing compliance validation, you strike a balance between security enforcement and operational agility.
In summary, SCPs are vital in implementing technical solutions to enforce policies. When integrated with AWS Control Tower, they provide a cohesive and scalable security posture that can be managed centrally, ensuring that your AWS environment is compliant with organizational standards and industry best practices.
Practice Test with Explanation
True or False: SCPs can be used to enforce service-level restrictions across an entire AWS Organization.
- Answer: True
Explanation: SCPs, or Service Control Policies, provide central control over the maximum available permissions for all accounts in your organization, allowing you to enforce service-level restrictions.
True or False: SCPs are evaluated before IAM policies when determining a user’s effective permissions.
- Answer: True
Explanation: SCPs are evaluated before IAM policies and can therefore restrict the maximum permissions that IAM policies can grant.
Multiple Select: Which of the following actions can SCPs prevent in an AWS environment? (Choose two)
- A. Creation of new IAM Users
- B. Deletion of CloudTrail logs
- C. Accessing AWS Control Tower
- D. Modifying an EC2 instance within permitted policies
- Answer: A, B
Explanation: SCPs can prevent the creation of new IAM users and the deletion of CloudTrail logs if the policies are written to deny those actions.
Single Select: In AWS Control Tower, where are mandatory SCPs like “Disallow_Root_Account” and “Deny_Rule_Evaluations” applied?
- A. To individual user accounts
- B. To organizational units
- C. To all accounts in an organization
- D. Only to the master account
- Answer: C
Explanation: In AWS Control Tower, mandatory SCPs are applied to all accounts in an organization to ensure consistent governance and compliance across all accounts.
True or False: SCPs can be used to allow actions that IAM policies explicitly deny.
- Answer: False
Explanation: SCPs cannot be used to grant permissions; they are solely used as a guardrail to restrict permissions. If an IAM policy explicitly denies an action, an SCP cannot override that decision.
Single Select: What is required for SCPs to be effective within an AWS Organization?
- A. Enabling AWS CloudTrail
- B. Enabling multi-factor authentication for the root account
- C. Enabling all features in AWS Organizations
- D. Using AWS IAM Access Analyzer
- Answer: C
Explanation: To fully utilize SCPs, all features in AWS Organizations must be enabled which includes the ability to use SCPs to manage permissions.
True or False: When a new account is created in an AWS Organization, it automatically inherits the SCPs from its parent organizational unit.
- Answer: True
Explanation: New accounts created in an AWS Organization inherit the SCPs that are applied to the parent organizational unit or root that they are part of.
True or False: SCPs take effect as soon as they are applied to an account or organizational unit without the need for any additional action.
- Answer: True
Explanation: Once SCPs are applied to an account or organizational unit, they immediately take effect without the need for any further steps.
Multiple Select: What types of limitations on the use of a root account can be enforced using SCPs? (Choose two)
- A. Preventing the root account from deleting VPCs
- B. Preventing the disabling of AWS CloudTrail
- C. Enforcing MFA for the root account login
- D. Limiting the geographical regions in which services can be deployed
- Answer: A, D
Explanation: SCPs can prevent the root account from taking certain actions like deleting VPCs and can restrict service operations to specific geographical regions.
True or False: SCPs apply to all users and roles in the accounts within an AWS Organization, including the root user.
- Answer: True
Explanation: SCPs restrict permissions for all IAM users and roles, as well as the AWS account’s root user, across all accounts in an organization.
Single Select: What is the default SCP applied to accounts in a new AWS Organization?
- A. DenyAll
- B. AllowAll
- C. ReadOnlyAccess
- D. AdministratorAccess
- Answer: B
Explanation: The default SCP applied to accounts in a new AWS Organization is “AllowAll,” which permits full access to AWS services and actions.
True or False: An account that is not part of an AWS Organization can have SCPs applied to it.
- Answer: False
Explanation: SCPs are a feature of AWS Organizations and can only be applied to accounts that are part of an organization.
Interview Questions
What are AWS Service Control Policies (SCPs) and how do they contribute to security best practices within an AWS environment?
SCPs are policies that offer central control over the maximum available permissions for all accounts in your organization, allowing you to manage permissions in AWS Organizations. SCPs help ensure members of your organization comply with security policies by preventing them from making changes that could affect your environment’s security posture, such as actions on root accounts or unauthorized services.
How do SCPs differ from IAM policies in AWS?
SCPs are used to manage permissions in AWS Organizations and apply to all users and roles in the member accounts, including the root user. They do not grant permissions but instead act as guardrails. IAM policies are attached to users, groups, or roles within an individual AWS account and define what actions are allowed or denied.
Can you explain how to prevent the use of the root account using SCPs?
To prevent the use of the root account, an SCP can be applied to restrict the root user’s actions. An SCP with an explicit deny on all actions ("Action": "*"
) that applies to the root user ("Condition": {"StringEquals": {"aws:username": "root"}}
) can be attached to the Organizational Unit (OU) or account to ensure that the root account cannot perform any actions.
Describe a scenario in which you would implement SCPs over other types of control tools in AWS.
SCPs would be implemented for organization-wide policies where you want to ensure that certain actions or services are restricted across all accounts in the organization, such as preventing users from disabling logging or bypassing region restrictions. For controls that are specific to a single account or service, IAM policies or service-specific tools might be more appropriate.
When implementing SCPs, how can you ensure minimal disruption to existing workflows and permissions?
Before implementing SCPs, perform thorough audit and assessment of current IAM policies, roles, and permissions in place. Then, adopt a phased approach: start by setting the SCPs in audit mode to log the impact without enforcing them, review the logs to understand which legitimate actions would be affected, then iteratively refine the SCPs until they provide the desired level of control without disrupting existing workflows.
What steps are involved in implementing a new SCP in AWS Control Tower?
The steps typically involve defining the SCP policy statement with the necessary permissions, logging into AWS Control Tower as an admin, creating the SCP by navigating to the Service control policies section, attaching the SCP to the desired Organizational Units or accounts, and then testing to ensure it’s correctly enforcing the intended limitations.
How do SCPs interact with other AWS security features such as AWS Config or AWS GuardDuty?
While SCPs provide preventative controls to enforce compliance with policies, AWS Config and GuardDuty offer complementary capabilities. AWS Config monitors configuration changes and assesses compliance with desired configurations, while GuardDuty provides intelligent threat detection. SCPs act as the first line of defense, with Config and GuardDuty offering additional visibility and response layers.
What is the significance of AWS Control Tower in managing SCPs, and can SCPs be managed outside of Control Tower?
AWS Control Tower simplifies the management of SCPs in multi-account AWS environments, providing a central place to set up and govern these policies with less manual intervention. However, SCPs can also be managed directly through AWS Organizations for those not using Control Tower, offering flexibility to organizations in how they prefer to implement and manage SCPs.
How do you audit the effectiveness of SCPs in an AWS environment?
Audit the effectiveness of SCPs by using AWS CloudTrail logs to review actions taken and checking if any unauthorized actions were blocked. Monitoring with AWS Config rules can also help verify that resources comply with the SCPs, and regular reviews of the SCPs themselves to ensure they align with changing organizational policies and requirements.
What are some common challenges in implementing SCPs, and how can they be overcome?
Common challenges include understanding the cumulative effect of SCPs alongside IAM policies, not considering the potential impact on existing services before applying SCPs, and difficulty in managing SCPs across a large number of accounts. Overcoming these challenges involves thorough policy testing, careful planning and rollout of SCPs, and using tools like AWS Organizations policy simulator to predict the impact of SCPs.
Can SCPs be used to enforce multi-region restrictions, and how would you do that?
Yes, SCPs can be used to enforce multi-region restrictions by explicitly denying actions outside specified regions. This is done using a condition in the SCP that checks the requested region ("Condition": {"StringNotEquals": {"aws:RequestedRegion": ["us-east-1", "eu-west-1"]}}
) and denying access if the condition is met.
How can you enforce tag-based access control with SCPs?
To enforce tag-based access control with SCPs, you can establish policies that contain condition clauses checking for the presence of specific tags on resources and user/role sessions. Only actions by users or roles with matching tags would be allowed while others would be denied, ensuring that resources can only be accessed by specified entities.
Great post! SCPs are indeed an effective way to enforce policies in an organization, especially for managing root account usage.
Can someone explain how to create an SCP to limit the activities of the root account?
Love this topic! Implementing SCPs has greatly improved our security posture.
How does AWS Control Tower integrate with SCPs?
This information is very helpful, thanks!
Is there a way to test an SCP before applying it to avoid unintended disruptions?
Thanks for the insights!
How can we monitor the effectiveness of SCPs in enforcing policies?