TL;DR - Learn how Service Control Policies (SCPs) can protect your AWS security baseline by preventing unauthorized changes and enhancing overall security.
Maintaining a security baseline in AWS accounts is crucial for ensuring consistent and secure configurations across your organization. Service Control Policies (SCPs) provide a powerful tool to enforce this baseline and protect your AWS environment from accidental or malicious changes.
What is a Security Baseline?
A security baseline is the initial configuration of an AWS account that should always remain consistent. This configuration often includes enabling services like CloudTrail and GuardDuty, setting up specific IAM roles, and ensuring certain security measures are in place. Maintaining this baseline helps protect your accounts from unauthorized modifications and ensures a standard level of security across your organization.
General Guidance for SCPs
SCPs are policies that you can use to manage permissions in your AWS Organization. They enable you to control what actions can be performed in the accounts within your organization. Here are some best practices for creating and managing SCPs:
- Combine Policies: You are limited in the number of SCPs you can use, so combine multiple policies into a single SCP with separate statements.
- Be Cautious: SCPs are powerful but can create usability issues if not used carefully. Avoid creating too many exception cases.
- Provide Visibility: Use tools like Delegated Administrator for AWS Organizations to give engineers visibility into the SCPs affecting their accounts.
Use Cases for SCPs
Protecting IAM Roles
IAM roles are a critical part of your security baseline. Use SCPs to prevent unauthorized modifications to these roles. Here’s an example policy:
Protecting AWS Services
Protect services like CloudTrail and GuardDuty from being disabled or modified. Here’s an example policy:
Preventing Accounts from Leaving
Prevent accounts from leaving the organization to avoid circumventing SCPs:
Preventing Root Access
Restrict root user actions to mitigate account takeover risks:
Conclusion
Implementing SCPs is a powerful way to protect your AWS security baseline. By preventing unauthorized changes, you can ensure your accounts remain secure and compliant with your organization’s standards. Regularly review and update your SCPs to adapt to new threats and changes in your environment.