← Wiki

AWS Service Control Policies

An index of resources for implementing and managing AWS SCPs

AWS Jan 2024 (edited Nov 2024)

Tips on Using SCPs

• Quick Tip: Minimizing Terraformed SCPs
• Wiz, Scott Piper: Using Service Control Policies to protect security baselines
• Summit Route, Scott Piper: AWS SCP Best Practices
• Seshu Pasha: AWS Governance — Service Control Policies

Lists of Recommended SCPs

• AWS Organizations SCP Examples
• aws-samples/service-control-policy-examples
• Reducing Attack Surface with AWS Allowlisting
• PrimeHarbor/Chris Farris: org-kickstart/policies
• Latacora: latacora-service-control-policies
• asecure.cloud
• ScaleSec: terraform_aws_scp
• Ashish Rajan: aws-scp-best-practice-policies
• Summit Route, Scott Piper: AWS SCP Best Practices - Example SCPs
• Ian Mckay: List of expensive / long-term effect AWS IAM actions
• Welldone Cloud: aws-scps-for-sandbox-and-training-accounts

Example Policies

Deny IMDSv1

data "aws_iam_policy_document" "deny_imdsv1" {
  statement {
    sid    = "DenyIMDSv1"
    effect = "Deny"
    actions   = ["*"]
    resources = ["*"]

    condition {
      test     = "NumericLessThan"
      variable = "ec2:RoleDelivery"
      values   = ["2.0"]
    }
  }
}

Deny Public Secrets

data "aws_iam_policy_document" "deny_public_secrets" {
  statement {
    sid    = "DenyPublicSecrets"
    effect = "Deny"
    actions   = ["secretsmanager:PutResourcePolicy"]
    resources = ["*"]

    condition {
      test     = "Bool"
      variable = "secretsmanager:BlockPublicPolicy"
      values   = ["false"]
    }
  }
}

Visualization and Management

• scpkit
• Steampipe aws_organizations_policy_target + Node/Edge Visualizations
• wut.dev
• aws-samples/scp-analyzer
• trussworks/terraform-aws-ou-scp