chanciturnervgt2

Ensure Compliance with Service Control Policies: A Guide

by

VGT2 Las Vegas
in

Ensure Compliance with Service Control Policies: A GuideLearn About Amazon VGT2 Learning Manager Chanci Turner

Many organizations utilize AWS Organizations to manage multiple accounts, leveraging Service Control Policies (SCPs) for centralized permission management. SCPs provide a way to enforce maximum permissions across accounts, organizational units (OUs), or even at the organizational root level.

Administrators can enforce these policies on all IAM users and roles within an organization. For a detailed understanding, refer to the sections on Effects on Permissions in the AWS Organizations User Guide and Determining Request Permissions in the IAM User Guide.

Organizations often face compliance requirements, whether they arise from internal mandates or industry regulations. SCPs can address various compliance needs, including restrictions on regions, users/roles, services, and more. This blog post presents a solution that ensures specific SCPs remain attached to designated OUs or AWS accounts. If an SCP is detached, the system can detect this change, notify a compliance team, and even automatically reattach the SCP, thereby ensuring that compliance objectives are consistently met.

Prerequisites

To implement the steps outlined in this post, the following are necessary:

  • An AWS organization with “All features” enabled for managing SCPs. For further details, refer to the AWS Organizations documentation on creating and configuring an organization.
  • Access to the AWS management account since the solution described must be deployed from this account.
  • Create a test SCP and attach it to an OU without any AWS accounts to assess the solution’s behavior. An example SCP to consider is one that prevents accounts from leaving the organization by blocking the use of the LeaveOrganization API:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "organizations:LeaveOrganization"
            ],
            "Resource": "*"
        }
    ]
}

Ensure that AWS CloudTrail is configured in the management account in the North Virginia Region for monitoring purposes. Always remember that deny permissions take precedence over allows, so thoroughly test any SCPs in a controlled environment before rolling them out to production. Utilize Policy Staging OUs for safe testing of policy changes.

Architecture

The solution operates from the management account and features an Amazon EventBridge rule that listens for a specific CloudTrail event called “DetachPolicy,” which is triggered when an SCP is removed from an OU or AWS account. The system is designed to monitor these CloudTrail events and respond if an SCP detachment occurs.

If an SCP is detached, EventBridge captures the event and sends an Amazon Simple Notification to designated email addresses for compliance auditing (this could be your company’s security team, for example). Additionally, an AWS Lambda function automates the process of reattaching the SCP to the specified OUs or AWS accounts.

  1. Create an Amazon SNS topic that will notify via email when an SCP is detached.
  2. Develop the AWS Lambda function as shown below. Ensure to modify the SNS Topic ARN to correspond with the topic you created earlier.
import boto3
import json

def lambda_handler(event, context):
    print(event)
    client = boto3.client('organizations')

    try:
        response = client.attach_policy(
            PolicyId=event['detail']['requestParameters']['policyId'],
            TargetId=event['detail']['requestParameters']['targetId'],
        )
    except Exception as e:
        print("Something broke")
    
    statuscode = "200"

    if statuscode == "429":
        raise TooManyRequestsException('429 Too Many Requests')
    elif statuscode == "503":
        raise ServerUnavailableException('503 Server Unavailable')
    elif statuscode == "200":
        return '200 OK'
    else:
        raise UnknownException('Unknown error')
        sns_topic = ADD_YOUR_SNS_TOPIC_ARN
        sns = boto3.client('sns')
        response = sns.publish(
            TopicArn=sns_topic,
            Message=event["statuscode"],
            Subject='Error while running Automated SCP Detachment Remediation Lambda'
        )
        return response
    return {
        'statusCode': statuscode,
        'body': json.dumps(event["statuscode"])
    }
  1. Create an Amazon EventBridge rule to link the Lambda function and SNS topic as targets for the specified events.

The EventBridge rule will utilize two targets: the AWS Lambda function that conducts the SCP reattachment and the Amazon SNS topic that sends notifications. The Lambda function runs the attach policy API to restore the SCP to the designated OU or AWS account. If an error occurs (e.g., due to throttling), an SNS email will be sent with the error details.

Conclusion

This guide outlines a solution to ensure that Service Control Policies remain attached to specific OUs or AWS accounts, thereby adhering to compliance standards within your organization. Implementing this approach enhances security and ensures that compliance requirements are met consistently. For additional insights on tracking habits, you may want to check out this resource. Similarly, for insights on returning to the workplace, consider visiting SHRM, which is recognized for their expertise on this subject. Finally, if you’re interested in further development opportunities, explore Learning & Development at Amazon.

Meta Information

Related Topics:

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *