By Implementation

Service Control PoliciesConfig RulesAuto Remediation RulesConformance PacksAmazon GuardDutyAmazon InspectorAWS Security HubAWS Network FirewallRoute53 Resolver SecurityAmazon MacieS3 Bucket PoliciesCloudWatch Alarms and Event RulesAWS WAFAWS Secrets ManagerAWS Systems ManagerSecurity Groups & NACLsAWS KMSIAM PoliciesAmazon ECRRDS Event Subscriptions

By Service Protected

Configuration Packages

Strategy Guides

Other

Service Control Policies

Service Control Policies Package

A configuration package to deploy common Service Control Policies (SCPs) in the master account of an AWS Organization. The SCPs are grouped for different security domains and services:

  • Account-level security – SCPs to restrict access based on AWS region, restrict root access and prevent users from leaving the Organization or modifying billing settings
  • Logging services protection – SCPs to prevent users from disabling logging and security services such as CloudTrail, Config, Config Rules, VPC Flow Logs, GuardDuty, Security Hub, Access Analyzer, and Macie
  • Network settings protection – SCPs to prevent modifying internet access or other network settings in VPCs
  • IAM settings protection – SCPs to prevent users from creating new IAM Users or Access Keys or modifying specific IAM Roles
  • S3 resources protection – SCPs to protect S3 Block Public Access settings, protect S3 buckets and Glacier Archives, and enforce S3 encryption
  • EC2 resources protection – SCPs to restrict EC2 instance types and to require MFA to stop EC2 instances
  • Other – SCPs to protect KMS Keys, CloudWatch Alarms/Dashboards, and prevent RAM sharing with external principals

See full SCP Repository to browse individual SCP policies.

Premium: Get a security assessment for your AWS Organization and Accounts
Items
6
Size
5.9 KB
AWSTemplateFormatVersion: "2010-09-09"
Description: ""
Resources:
  ScpPolicy1:
    Type: "Custom::ServiceControlPolicy"
    Properties:
      PolicyName: "scp_account_protection"
      PolicyDescription: "scp_account_protection"
      PolicyContents: "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Action\":\"*\",\"Resource\":\"*\",\"Effect\":\"Deny\",\"Condition\":{\"StringLike\":{\"aws:PrincipalArn\":[\"arn:aws:iam::*:root\"]}}},{\"Action\":[\"organizations:LeaveOrganization\"],\"Resource\":\"*\",\"Effect\":\"Deny\"},{\"Action\":[\"aws-portal:ModifyAccount\",\"aws-portal:ModifyBilling\",\"aws-portal:ModifyPaymentMethods\"],\"Resource\":\"*\",\"Effect\":\"Deny\"}]}"
      ServiceToken:
        Fn::GetAtt:
          - "ScpResourceLambda"
          - "Arn"
  ScpResourceLambdaRole:
    Type: "AWS::IAM::Role"
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Principal:
              Service: "lambda.amazonaws.com"
            Action:
              - "sts:AssumeRole"
      Path: "/"
      ManagedPolicyArns:
        - "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
      Policies:
        - PolicyName: "scp-access"
          PolicyDocument:
            Statement:
              - Effect: "Allow"
                Action:
                  - "organizations:UpdatePolicy"
                  - "organizations:DeletePolicy"
                  - "organizations:CreatePolicy"
                  - "organizations:ListPolicies"
                Resource: "*"
  ScpResourceLambda:
    Type: "AWS::Lambda::Function"
    Properties:
      Code:
        ZipFile: "\n'use strict';\nconst AWS = require('aws-sdk');\nconst response = require('cfn-response');\nconst organizations = new AWS.Organizations({region: 'us-east-1'});\n\nexports.handler = (event, context, cb) => {\n  console.log('Invoke:', JSON.stringify(event));\n  const done = (err, data) => {\n    if (err) {\n      console.log('Error: ', err);\n      response.send(event, context, response.FAILED, {}, 'CustomResourcePhysicalID');\n    } else {\n      response.send(event, context, response.SUCCESS, {}, 'CustomResourcePhysicalID');\n    }\n  };\n  \n  const updatePolicies = (policyName, policyAction) => {\n    organizations.listPolicies({\n      Filter: \"SERVICE_CONTROL_POLICY\"\n     }, function(err, data){\n         if (err) done(err);\n         else {\n           const policy = data.Policies.filter((policy) => (policy.Name === policyName))\n           let policyId = ''\n           if (policy.length > 0) \n            policyId = policy[0].Id\n           else\n            done('policy not found')\n           if (policyAction === 'Update'){\n             organizations.updatePolicy({\n               Content: event.ResourceProperties.PolicyContents,\n               PolicyId: policyId\n             }, done)\n           }\n           else {\n              organizations.deletePolicy({\n                PolicyId: policyId\n              }, done)\n           }\n         }\n     })\n  }\n  \n  if (event.RequestType === 'Update' || event.RequestType === 'Delete') {\n    updatePolicies(event.ResourceProperties.PolicyName, event.RequestType)\n    \n  } else if (event.RequestType === 'Create') {\n    organizations.createPolicy({\n          Content: event.ResourceProperties.PolicyContents, \n          Description: event.ResourceProperties.PolicyDescription, \n          Name: event.ResourceProperties.PolicyName, \n          Type: \"SERVICE_CONTROL_POLICY\"\n         }, done);\n  } else {\n    cb(new Error('unsupported RequestType: ', event.RequestType));\n  }\n};"
      Handler: "index.handler"
      MemorySize: 128
      Role:
        Fn::GetAtt:
          - "ScpResourceLambdaRole"
          - "Arn"
      Runtime: "nodejs12.x"
      Timeout: 120
  ScpPolicy2:
    Type: "Custom::ServiceControlPolicy"
    Properties:
      PolicyName: "scp_logging_services_protection"
      PolicyDescription: "scp_logging_services_protection"
      PolicyContents: "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Action\":[\"cloudtrail:StopLogging\",\"cloudtrail:DeleteTrail\"],\"Resource\":\"*\",\"Effect\":\"Deny\"},{\"Action\":[\"config:DeleteConfigRule\",\"config:DeleteConfigurationRecorder\",\"config:DeleteDeliveryChannel\",\"config:StopConfigurationRecorder\"],\"Resource\":\"*\",\"Effect\":\"Deny\"},{\"Action\":[\"guardduty:DeleteDetector\",\"guardduty:DeleteInvitations\",\"guardduty:DeleteIPSet\",\"guardduty:DeleteMembers\",\"guardduty:DeleteThreatIntelSet\",\"guardduty:DisassociateFromMasterAccount\",\"guardduty:DisassociateMembers\",\"guardduty:StopMonitoringMembers\",\"guardduty:UpdateDetector\"],\"Resource\":\"*\",\"Effect\":\"Deny\"},{\"Action\":[\"securityhub:DeleteInvitations\",\"securityhub:DisableSecurityHub\",\"securityhub:DisassociateFromMasterAccount\",\"securityhub:DeleteMembers\",\"securityhub:DisassociateMembers\"],\"Resource\":\"*\",\"Effect\":\"Deny\"}]}"
      ServiceToken:
        Fn::GetAtt:
          - "ScpResourceLambda"
          - "Arn"
    DependsOn:
      - "ScpPolicy1"
  ScpPolicy3:
    Type: "Custom::ServiceControlPolicy"
    Properties:
      PolicyName: "scp_iam_protection"
      PolicyDescription: "scp_iam_protection"
      PolicyContents: "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Action\":[\"iam:CreateUser\",\"iam:CreateAccessKey\"],\"Resource\":[\"*\"],\"Effect\":\"Deny\"}]}"
      ServiceToken:
        Fn::GetAtt:
          - "ScpResourceLambda"
          - "Arn"
    DependsOn:
      - "ScpPolicy2"
  ScpPolicy4:
    Type: "Custom::ServiceControlPolicy"
    Properties:
      PolicyName: "scp_s3_protection"
      PolicyDescription: "scp_s3_protection"
      PolicyContents: "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Action\":[\"s3:PutAccountPublicAccessBlock\"],\"Resource\":\"*\",\"Effect\":\"Deny\"}]}"
      ServiceToken:
        Fn::GetAtt:
          - "ScpResourceLambda"
          - "Arn"
    DependsOn:
      - "ScpPolicy3"
Parameters: {}
Metadata: {}
Conditions: {}

Actions



Customize Template

Configuration Presets

Resource Settings

EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT