Service Control Policies for Working on AWS

Service Control Policies for Working on AWS

Amazon Web Services is a leading pay-as-you-go cloud computing platform that provides software assistance, API services, and processing capacities to startups, corporates, and entrepreneurs. Its blanket infrastructure provides users access to purpose-built databases, unlimited storage, and computing.

The platform has taken things further with artificial intelligence and machine learning and has met almost a hundred security standards. Its cost-effective, comprehensive, and innovative approach to cloud computing makes it the first choice of government agencies and tech companies

What Are AWS Organizations

Amazon Web Services enables its users to manage their environment through a managerial service, AWS Organizations. With this, companies or individuals can create multiple accounts and then control, allocate and restrict their AWS resources for them using different policies. The service helps users meet the unique requirements of their business, from operational to financial.

AWS Organizations have the power to centrally configure security standards, govern resources, and review requirements at no additional expense. On the principle of consolidation, this service allows you to make amends on the monetary front by switching to a single account payment method. As a governing body, it helps streamline the workflow by managing individual accounts working with an organization.

Service Control Policies for AWS Organizations

One of the key features of AWS Organizations is Service Control Policies (SCPs) used by central security administrators. These policies reinforce your role as a governing authority and bring all IAM users and roles on one page. With SCPs, you can control every AWS account and make them adhere to your unique permissions and exceptions. This helps you make everyone working for you stick to an approved guideline without bypassing your authority.

For instance, you can stop an AWS account from using an IAM role via specific conditions and resources. You can also impose restrictions on particular regions and deny IAM entities access to certain AWS services. Note that the management account is not subjected to SCPs restrictions and has the freedom to access and act in whichever IAM role and authority it wants.

How Service Control Policies for AWS Organizations Work

AWS Organizations is divided into a root, containing all accounts in your organization, organizational units (OU), and individual accounts. Organizational units are imperative for creating hierarchies in your structure and making SCPs employment easy. If you want to restrict your administrative team from accessing a AWS Region or performing a specific service action, you can deny access to a whole organization unit (OU).

Service Control Policies for AWS Organizations apply to all Identity and Access Management (IAM) entities, including all the roles, users, and root account users. The SCPs framework is established on Identity and Access Management of AWS yet competes with IAM policies for effect. Simply put, what SCPs forbids cannot be accessed with IAM permission and vice versa.

The AWS account must have IAM permission for a resource or action for the SCP effect to withstand. Therefore, you still have to create an identity- or resource-based policy to permit actions from an account. Even then, SCP has only control of identity-based policies for IAM principals.  

Limitations on Service Control Policies

Although identity-based, SCP permissions do not apply to some actions performed by specific IAM entities. Some of them are given below:

  • SCPs apply to all accounts within an organization and member accounts except users and roles in a management account.
  • The service-linked role, Alexa Top Sites, Web Information Service, Amazon Mechanical Turk, and Product Marketing API are all exempted from the SCP effect
  • Despite the SCP restriction, a root user can tinker with the support level of AWS and switch to a different support plan.

Common Policy Language Elements Between IAM and SCPs

IAM shares some of its policy language elements with SCP though the NotAction, Resource, and Condition are new to SCP and are exclusively negative in effect type. The Common Policy Language Elements between and SCP are as follows:

  • Statement: All policies have at leastone statement as the main element. Policies with multiple statements have the same effect type a policy with one statement. 
  • Sid: This is an optional nickname for your statement.
  • Effect: This determines the insinuation of an SCP statement.   
  • Action: All actions that are affected by SCPs are listed in this.
  • NotAction: This element has replaced the Action element in policies. Now, you can list all the actions you want to exclude from SCPs.
  • Resource: This is the SCP domain for AWS resources.
  • Condition: This defines the condition for a statement to be in effect.
Policy Language ElementEffect Type
StatementAllow; Deny
SidAllow; Deny
EffectAllow; Deny
ActionAllow; Deny
NotAction (Optional)Deny
Resource (Optional)Deny
Condition (Optional)Deny

NotAction, Resource, and Condition can easily be introduced in existing or new SCPs in AWS Organizations through its console.

How to Create an SCP Suing AWS Organizations Console

To create SCP, one must have the following permissions:

  • Permission to run organizations:CreatePolicy.
  • Permission to enable all features on AWS Organization

Therefore, organizations with only billing consolidation enabled will not be able to create SCP.

  • Step 1: Navigate to AWS Organizations Console
  • Step 2: Go to the Policies Tabs
  • Step 3: Select Create Policy
  • Step 4: Assign a name and description to your policy for quick identification.
  • Step 5: Go to the text editor and place your cursor beside the empty statement. The console will recognize your policy from the name and will suggest the appropriate Actions, Resources, and Conditions. 
  • Step 6: You can tinker with the statement ID to determine the effect of the statement. 
  • Step 7: List all the AWS actions you want to restrict.The console provides details about each action.
  • Step 8: NewAction policy element can be used to deny access to all actions listed in it. Change Action to NotAction.
  • Step 9: Add Resources for the role. Pay mind to the account ID.

Your SCPs are in effect for specific accounts, actions, and resources.

Takeaways:

Service Control Policies are essential to maintain central governance in an organization. It allows the management account to dictate the guidelines for all account and member accounts in an organization.

Further blogs within this Service Control Policies for Working on AWS category.