If you’re running a cloud with multiple accounts, you have most likely setup Organizations (It’s Free). This gives you the ability to create OUs and Accounts under a Root account to help isolate use cases.
Whilst the creation part is easy, keeping it secure is hard. Keeping the concepts and boundaries in place requires governance and a tool to help enforce standards (high-level). This is where service control policies (SCPs) can help.
What is an SCP?
Think of it like a set of rules you set per account/OU. It’s basically like your blueprint or “Guard rails” as Amazon calls it. These Guard rails help admins from doing stuff they shouldn’t. Think of disabling services to get around controls. It can also be used for FinOps. Think of preventing costly services from being enabled.
How Do I Enable?
First, load your AWS portal and go over to Organizations.
Here you will see your org. If you haven’t enabled it already, you will see a big orange ENABLE button.
On the left-hand side, you will see Policies. Let’s click on that.
If you’ve not enabled the service already, enable them by clicking on the name. Once enabled, you will be able to see your current policies:
By default, you will have FullAWSAccess created. For now, let’s leave this and create a new policy:
Give your policy a name, and scroll to the bottom. Here is where you need to spend your time. Think of a design and the aim of your Guard rails and look to see what you can do.
As an example above, I’ve given some examples to stop people from removing or disabling services that may be used for Security purposes.
If you wanted to go granular, you can set some conditions:
This really is a playground, however, the design shouldn’t be. Guard rails can really help secure your cloud, so it’s good to look into. If your console is breached, then it will only be the role/IAM account in their way. If the account that is breached has access, then turning off Security controls, disabling logs or auditing is a click away.
If you’ve not got a good incident response process, then you may not even notice. Instead, set SCPs and filter them down. You can create multiple and assign both at the OU and account levels. This gives flexibility. Once happy, ensure only set people can modify them, else just like the scenario above, they may come in and look to remove the policy.