Create the service control policies in AWS Organization
In the steps in this section, you create three service control policies (SCPs) and attach them to the root and to the OUs to restrict what users in the organization’s accounts can do. The first SCP prevents anyone in any of the member accounts from creating or modifying any AWS CloudTrail logs that you configure. The master account isn’t affected by any SCP, so after you apply the CloudTrail SCP, you must create any logs from the master account.
To create the first SCP that blocks CloudTrail configuration actions
- Choose the Policies tab and then choose Create policy.
- For Policy name, enter
Block CloudTrail Configuration Actions. - In the Policy section on the left, select CloudTrail for the service. Then choose the following actions: AddTags, CreateTrail, DeleteTrail, RemoveTags, StartLogging, StopLogging, and UpdateTrail.
- Still in the left pane, choose Add resource and specify CloudTrail and All Resources. Then choose Add resource.The policy statement on the right updates to look similar to the following.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1234567890123", "Effect": "Deny", "Action": [ "cloudtrail:AddTags", "cloudtrail:CreateTrail", "cloudtrail:DeleteTrail", "cloudtrail:RemoveTags", "cloudtrail:StartLogging", "cloudtrail:StopLogging", "cloudtrail:UpdateTrail" ], "Resource": [ "*" ] } ] } - Choose Create policy.
The second policy defines an allow list of all the services and actions that you want to enable for users and roles in the Production OU. When you’re done, users in the Production OU can access only the listed services and actions.
To create the second policy that allows approved services for the production OU
- From the list of policies, choose Create policy.
- For Policy name, enter
Allow List for All Approved Services. - Position your cursor in the right pane of the Policy section and paste in a policy like the following.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1111111111111", "Effect": "Allow", "Action": [ "ec2:*", "elasticloadbalancing:*", "codecommit:*", "cloudtrail:*", "codedeploy:*" ], "Resource": [ "*" ] } ] } - Choose Create policy.
The final policy provides a deny list of services that are blocked from use in the MainApp OU. For this tutorial, you block access to Amazon DynamoDB in any accounts that are in the MainApp OU.
To create the third policy that denies access to services that can’t be used in the MainApp OU
- From the Policies tab, choose Create policy.
- For Policy name, enter
Deny List for MainApp Prohibited Services. - In the Policy section on the left, select Amazon DynamoDB for the service. For the action, choose All actions.
- Still in the left pane, choose Add resource and specify DynamoDB and All Resources. Then choose Add resource.The policy statement on the right updates to look similar to the following.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "dynamodb:*" ], "Resource": [ "*" ] } ] } - Choose Create policy to save the SCP.
Enable the service control policy type in the root
Before you can attach a policy of any type to a root or to any OU within a root, you must enable the policy type for that root. Policy types aren’t enabled in any root by default. The steps in this section show you how to enable the service control policy (SCP) type for the root in your organization.
- On the Organize accounts tab, choose your root.
- In the Details pane on the right, under ENABLE/DISABLE POLICY TYPES and next to Service control policies, choose Enable.
Attach the SCPs to your OUs
Now that the SCPs exist and are enabled for your root, you can attach them to the root and OUs.
To attach the policies to the root and the OUs
- Still on the Organize accounts tab, in the Details pane on the right, under POLICIES, choose SERVICE CONTROL POLICIES.
- Choose Attach next to the SCP named
Block CloudTrail Configuration Actionsto prevent anyone from altering the way that you configured CloudTrail. In this tutorial, you attach it to the root so that it affects all member accounts.The Details pane now shows by highlighting that two SCPs are attached to the root: the one you just created and the defaultFullAWSAccessSCP. - Choose the Production OU (not the check box) to navigate to its contents.
- Under POLICIES, choose SERVICE CONTROL POLICIES and then choose Attach next to
Allow List for All Approved Servicesto enable users or roles in member accounts in the Production OU to access the approved services. - The information pane now shows that two SCPs are attached to the OU: the one that you just attached and the default
FullAWSAccessSCP. However, because theFullAWSAccessSCP is also an allow list that allows all services and actions, you must detach this SCP to ensure that only your approved services are allowed. - To remove the default policy from the Production OU, next to FullAWSAccess, choose Detach. After you remove this default policy, all member accounts under the root immediately lose access to all actions and services that are not on the allow list SCP that you attached in the preceding step. Any requests to use actions that aren’t included in the Allow List for All Approved Services SCP are denied. This is true even if an administrator in an account grants access to another service by attaching an IAM permissions policy to a user in one of the member accounts.
- Now you can attach the SCP named
Deny List for MainApp Prohibited servicesto prevent anyone in the accounts in the MainApp OU from using any of the restricted services.To do this, choose the MainApp OU (not the check box) to navigate to its contents. - In the Details pane, under POLICIES, expand the Service control policies section. In the list of available policies, next to Deny List for MainApp Prohibited Services, choose Attach.
Comments are closed, but trackbacks and pingbacks are open.