A SCP to Prevent Unwanted AWS MarketPlace Subscriptions in New AWS Accounts
Responding to an issue I just saw on X (Twitter)
I just saw a post saying people are getting unwanted AWS Marketplace subscriptions to the tune of $3,000 added to new accounts.
First, if this is a standalone account, or the first account you create in a new organization, you should immediately create a new user with limited permissions disallowing things you don’t want to occur in the root account. Then login as that user and never use the root user in the top level organization account.
Once you create a new account you should rarely need to use a user in the root account. Login as a user in another account and make sure you enforce MFA on role assumptions to access the root account. I’ve shown how to do that in many posts and will be demonstrating again shortly.
I created a user, policy and role that disallows creating new users in the initial AWS account, for example, in a prior post. I went through a few iterations to get there and I think I’m going to add a limitation on the AWS Marketplace as well now.
You need to set up an AWS Organization so you can take advantage of Service Control Policies (SCPs) or restrictions on new accounts and users in all your accounts.
I wrote about the latest iteration of my AWS Organizations container that initializes new top level organization accounts with a new user here:
Once you have an organization, you can create Service Control Polices (SCPs) and you can create one that restricts use of the AWS Marketplace across your whole organization, along with a limitation on which regions may be used.
I explained SCPs here:
I put new accounts into a Deny All SCP initially or when they are not in use.
If you are using AWS Organizations with a Service Linked Role, those are not subject to service control policies. Make sure you create your organization, OUs and accounts with an Organizations role that is not a Service Linked Role. I have been demonstrating how to create AWS Organizational Units and Accounts that do not use Service Linked Roles throughout this series and my templates are on GitHub.
You can check out some of my repos here, but some of this is about to change:
I’m about to release something that will make all of this even easier if you have been following along. I’ll summarize it shortly.
If you want to know if you were affected by unwanted subscriptions, head over to AWS Cost Explorer and check out your charges for AWS Marketplace.
To see which user or role added the subscription head over to CloudTrail:
Since I don’t have this in my account I don’t know exactly what to search on but probably one of these event sources:
Follow for updates.
Teri Radichel | © 2nd Sight Lab 2024
About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight LabNeed Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for PresentationFollow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab