avatarTeri Radichel

Free AI web copilot to create summaries, insights and extended knowledge, download it at here

6671

Abstract

ion. Here you can see that we can attach up to 5 policies to the root, each OU, and each account. Remember that policies do not affect the root management account.</p><figure id="953b"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*kWyRmBFLoWK0G9Mk7WKIAg.png"><figcaption></figcaption></figure><p id="7bee">Also note the comment above:</p><blockquote id="0882"><p>Every entity must have at least one SCP attached.</p></blockquote><p id="d633">This leads to our next question. How do service control policies work together? If the default SCP on an account is Allow All but we have a Deny Policy attached to an OU above that account, how does that work?</p><p id="566b"><b><i>Inheritance and precedence</i></b></p><p id="4d42">When you apply a service control policy to an OU in AWS organization, that policy applies to all resources below it. A service principal in an account will only be able to do the things that are allowed by all applicable policies. Unlike some cloud providers where a lower level policy overrides a higher-level policy, an implementation I find to be potentially error prone, AWS policies work top down. If something is denied by a policy at the root of the organization, no one in the organization will be able to take that action.</p><p id="3038">Or as stated in the AWS documentation:</p><blockquote id="7c55"><p>An SCP at a lower level can’t add a permission after it is blocked by an SCP at a higher level. SCPs can <b><i>only</i></b> filter; they never add permissions.</p></blockquote><figure id="d660"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/0*iBsURbwKEfKFFJ1Z.png"><figcaption>This image is from the AWS documentation in the link below if you want to read more details.</figcaption></figure><div id="e71c" class="link-block"> <a href="https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_inheritance_auth.html"> <div> <div> <h2>Inheritance for service control policies</h2> <div><h3>Inheritance for service control policies behaves like a filter through which permissions flow to all parts of the tree…</h3></div> <div><p>docs.aws.amazon.com</p></div> </div> <div> <div style="background-image: url(https://miro.readmedium.com/v2/resize:fit:320/)"></div> </div> </div> </a> </div><p id="025a">How does this affect our design choices? Well, we can create up to 5 policies at each level. If we find that we need to create more than 5 distinct policies, then perhaps we need to break the organization out into more levels.</p><p id="6dde">That leads to my next question. How many nested OUs can we have in our organization? We can have up to 1,000 OUs up to 5 levels deep. AWS Control Tower did not support nested OUs in the past, a limitation I could not understand. Now that has been added but it seems a bit complicated:</p><div id="ec6b" class="link-block"> <a href="https://aws.amazon.com/blogs/mt/organizing-your-aws-control-tower-landing-zone-with-nested-ous/"> <div> <div> <h2>Organizing your AWS Control Tower landing zone with nested OUs | Amazon Web Services</h2> <div><h3>AWS Control Tower provides the easiest way for you to set up and govern your AWS environment, or landing zone…</h3></div> <div><p>aws.amazon.com</p></div> </div> <div> <div style="background-image: url(https://miro.readmedium.com/v2/resize:fit:320/0*qZq0jfAUDse4GFpS)"></div> </div> </div> </a> </div><h2 id="891e">Service Control Policy Architecture Strategy</h2><p id="bbef">My guidance on OUs differs from AWS recommendations. Here’s why:</p><p id="7b4b">One of the problems on AWS initially with AWS Organizations is that they were trying to align OUs with both <i>billing</i> and <i>governance</i> — and the boundaries for those two things don’t always align. Applying cost centers does not always align in such a way that you can assign one cost center to a single account. Perhaps you have a security resource that you deploy in every account that gets billed to a security cost center, for example.</p><p id="78ef">However, you can use your OUs and accounts for governance. Each OU contains a set of accounts that has to follow the same rules. If you find too many variations in rules (if, then statements) for a set of accounts, it’s probably time to break them apart into separate OUs or accounts with different policies.</p><p id="cf90">My guidance for structuring Accounts OUs and SCPs is this:</p><ul><li>Separate resources that need to be billed to different cost centers into separate accounts as much as possible.</li><li>For things that cannot be put into separate accounts, you could use cost-allocation tags. And remember, as you creating resources, to understand if you can tag that resource or not. If you use this approach you also have to ensure no one can change or alter the tags in ways that adversely affect your financial reporting. You can use SCPs to try to enforce proper tagging.</li></ul><div id="9987" class="link-block"> <a href="https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/cost-alloc-tags.html"> <div> <div> <h2>Using AWS cost allocation tags</h2> <div><h3>A tag is a label that you or AWS assigns to an AWS resource. Each tag consists of a key and a value. For each resource…</h3></div> <div><p>docs.aws.amazon.com</p></div> </div> <div> <div style="background-image: url(https://miro.readmedium.com/v2/resize:fit:320/0*kViqRU1bI_JoVhi6)"></div> </div> </div> </a> </div><ul><li>Alternatively, see if cost categories can help you separate out things on bills that need to be billed to different cost centers. If this works for you, it may be better than relying on tags which I have found to be fragile due to the complexities of making sure people can’t change the tags.</li></ul><div id="2d1f" class="link-block"> <a href="https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/manage-cost-categories.html#cost-categories-dimensions"> <div> <div> <h2>Managing your costs with AWS Cost Categories</h2> <div><h3>You can use AWS Cost Categories to map your AWS costs and usage into meaningful categories. With cost categories, you…</h3></div>

Options

            <div><p>docs.aws.amazon.com</p></div>
          </div>
          <div>
            <div style="background-image: url(https://miro.readmedium.com/v2/resize:fit:320/)"></div>
          </div>
        </div>
      </a>
    </div><ul><li>Put your organizational rules that will almost never change on your root account. You want to limit editing these rules the OrgRoot user who should login only on rare occasions when some abnormal event occurs.</li><li>Each policy should serve a single purpose and be easy to read as possible. Unfortunately due to SCP limits you may have to combine a few things but do it as little as possible.</li><li>If you find that you need to add more than 5 policies, consider a new OU (though in some cases you may combine statements in a particular OU if it makes sense and is still easy to read).</li><li>If you find accounts in a particular OU are requiring different policies and rules, create a new OU and move the accounts that need to abide by different rules into different OUs.</li><li>The default policy is an allow all policy. If you know with absolute certainty that there are certain resources that will never be used in your organization, you can add a deny statement for those resources to this policy.</li><li>However, you might want to leave the allow all policy alone and focus on denying egregious and non-compliant actions that should never occur, rather than trying to use SCPs for an Allow list — which is going to get complex very fast.</li><li>Use your IAM Policies, trust policies, and resource policies to create zero-trust allow list policies for resources and principles.</li><li>Adding account-specific policies is like attaching IAM policies to a single user. It’s going to make things more complicated to manage in most cases. Opt to break accounts in to separate OUs instead as much as possible.</li><li>If you have a very specific OU for a limited purpose, you could use an Allow List for that specific OU or account. Perhaps in fully automated single-purpose production accounts you could define a very restrictive OU.</li></ul><p id="49dd">Obviously, as with any architectural guidance, these are not hard and fast rules. You may find a valid reason to adjust them within your organizational structure. Additionally, if your rules are very complex, you might end up hitting the 5 level deep limit. Always look for ways to abstract out the commonalities to simplify your rules, without compromising the intent. Architecting policies is tricky business!</p><h2 id="1d7d">About the Governance Team</h2><p id="c5e9">What about our governance team? If you you have been following along, you may recall that in a past post, I granted access to a governance team to manage service control policies in a governance account, but not the root SCPs.</p><div id="57cd" class="link-block">
      <a href="https://readmedium.com/delegating-scp-management-to-governance-team-via-aws-organizations-53334a31b71c">
        <div>
          <div>
            <h2>Delegating SCP Management to Governance Team via AWS Organizations</h2>
            <div><h3>ACM.141 Delegated AWS Organizations Administrator — Policy as Code</h3></div>
            <div><p>medium.com</p></div>
          </div>
          <div>
            <div style="background-image: url(https://miro.readmedium.com/v2/resize:fit:320/0*Uv6158JyLJJWH1Td.png)"></div>
          </div>
        </div>
      </a>
    </div><p id="7ccb">In this post, we are only <i>deploying some SCPs that apply to the root of our organization that only the Organizational Root user I created in this post can change</i>.</p><div id="34dc" class="link-block">
      <a href="https://readmedium.com/organizational-root-user-for-initial-setup-on-aws-5c1680a98c9a">
        <div>
          <div>
            <h2>Organizational Root User for Initial Setup on AWS</h2>
            <div><h3>ACM.157 Creating an initial user to manage our AWS Organizations and new AWS accounts</h3></div>
            <div><p>medium.com</p></div>
          </div>
          <div>
            <div style="background-image: url(https://miro.readmedium.com/v2/resize:fit:320/1*SjuA2sHduyzkkHVfLLnoLg.png)"></div>
          </div>
        </div>
      </a>
    </div><p id="100a">These are policies we want to deploy across the organization on any account and that will likely rarely change and we don’t want to have inadvertently or maliciously changed under any circumstances.</p><p id="2284">Once we have those policies in place, then we will once again delegate authority to manage SCPs to the governance team, excluding the root account as we did before. Only this time, I noticed that AWS has added CloudFormation to allow you to deploy that policy, so we’ll use that instead.</p><p id="7b78">Now that we’ve thought about how to architect our service control policies, we’ll go ahead and add some policies to our root OU in the next post.</p><p id="f39e">Follow for updates.</p><p id="4a3a">Teri Radichel | <i>© <a href="https://2ndsightlab.com/?source=post_page---------------------------">2nd Sight Lab</a> 2023</i></p><div id="8b5f"><pre><span class="hljs-section">About Teri Radichel:

⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab</pre></div><div id="caae"><pre><span class="hljs-section">Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~</span>
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation</pre></div><div id="5a42"><pre>Follow <span class="hljs-keyword">for</span> more stories like <span class="hljs-keyword">this</span>:

❤️ Sign Up my Medium Email List ❤️ Twitter: <span class="hljs-meta">@teriradichel</span> ❤️ LinkedIn: https:<span class="hljs-comment">//www.linkedin.com/in/teriradichel</span> ❤️ Mastodon: <span class="hljs-meta">@teriradichel</span><span class="hljs-meta">@infosec</span>.exchange ❤️ Facebook: 2nd Sight Lab ❤️ YouTube: @2ndsightlab</pre></div><figure id="faf5"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/0*H9Ew1KCl-29nZiPR.jpeg"><figcaption></figcaption></figure></article></body>

AWS Service Control Policy Architecture

ACM.169 Designing maintainable, readable, and secure service control policies

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

⚙️ Check out my series on Automating Cybersecurity Metrics. The Code.

🔒 Related Stories: AWS Security | IAM | Cloud Governance

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

In the last post, I showed you some of the issues you might face when trying to close an account. There are also some risks you will want to be aware of related to removing accounts from an AWS organization — who in your organization can remove accounts from the organization?

In this post, we want to take a bit deeper dive look at a strategy for designing Service Control Policies on AWS before we start recreating our organization and integrating with Okta.

Service Control Policy Architecture Components

Before we start designing our Service Control Policies, we need to understand a bit about how multiple policies work together. Here are the key points.

Default Allow Any policy

The default policy is an “Allow Any” policy which allows anything in any account below the root. You could alter that policy to only allow what you know your organization needs to use on AWS but that is likely going to get complex very fast. Creating an Allow List for your entire organization may be quite challenging. There are way too many variables to handle that in one policy for an organization in most cases.

Use SCPs to deny egregious actions

Use Deny policies to prevent egregious actions that you never want to happen in your organization. There are many things that your users never need to do, like make an S3 bucket public. I explained why you never need a public S3 bucket here:

As you become aware of new actions and problems in your accounts that should never occur, add them to your SCPs.

Single-Purpose SCPs (as much as possible)

The simpler you can keep your SCPs, the less chance for error. Complexity is the enemy of security. When you start creating overly complicated logic in a single policy that others cannot easily read and decipher you run the risk of someone inserting soething into that logic that creates a gap in your security policies. They will also be very hard to troubleshoot. Case in point, my experience with the AWS Control Tower policies and the reason I created this new account structure.

Now as we start using multiple policies we need to understand two things — how many policies can we apply to a particular level in our organization and to our organization as a whole? How do the policies work together in terms of precedence and inheritance?

Limits and Quotas for AWS SCPs

As with any cloud resource, there are limits on how many SCPs you can create and apply in your account. Let’s consult the documentation.

The above documentation says we can have up to 1000 policies of each type. So 1000 SCPS is our limit. However, we also need to consider the number of SCPs we can attach at each level of our organization. Here you can see that we can attach up to 5 policies to the root, each OU, and each account. Remember that policies do not affect the root management account.

Also note the comment above:

Every entity must have at least one SCP attached.

This leads to our next question. How do service control policies work together? If the default SCP on an account is Allow All but we have a Deny Policy attached to an OU above that account, how does that work?

Inheritance and precedence

When you apply a service control policy to an OU in AWS organization, that policy applies to all resources below it. A service principal in an account will only be able to do the things that are allowed by all applicable policies. Unlike some cloud providers where a lower level policy overrides a higher-level policy, an implementation I find to be potentially error prone, AWS policies work top down. If something is denied by a policy at the root of the organization, no one in the organization will be able to take that action.

Or as stated in the AWS documentation:

An SCP at a lower level can’t add a permission after it is blocked by an SCP at a higher level. SCPs can only filter; they never add permissions.

This image is from the AWS documentation in the link below if you want to read more details.

How does this affect our design choices? Well, we can create up to 5 policies at each level. If we find that we need to create more than 5 distinct policies, then perhaps we need to break the organization out into more levels.

That leads to my next question. How many nested OUs can we have in our organization? We can have up to 1,000 OUs up to 5 levels deep. AWS Control Tower did not support nested OUs in the past, a limitation I could not understand. Now that has been added but it seems a bit complicated:

Service Control Policy Architecture Strategy

My guidance on OUs differs from AWS recommendations. Here’s why:

One of the problems on AWS initially with AWS Organizations is that they were trying to align OUs with both billing and governance — and the boundaries for those two things don’t always align. Applying cost centers does not always align in such a way that you can assign one cost center to a single account. Perhaps you have a security resource that you deploy in every account that gets billed to a security cost center, for example.

However, you can use your OUs and accounts for governance. Each OU contains a set of accounts that has to follow the same rules. If you find too many variations in rules (if, then statements) for a set of accounts, it’s probably time to break them apart into separate OUs or accounts with different policies.

My guidance for structuring Accounts OUs and SCPs is this:

  • Separate resources that need to be billed to different cost centers into separate accounts as much as possible.
  • For things that cannot be put into separate accounts, you could use cost-allocation tags. And remember, as you creating resources, to understand if you can tag that resource or not. If you use this approach you also have to ensure no one can change or alter the tags in ways that adversely affect your financial reporting. You can use SCPs to try to enforce proper tagging.
  • Alternatively, see if cost categories can help you separate out things on bills that need to be billed to different cost centers. If this works for you, it may be better than relying on tags which I have found to be fragile due to the complexities of making sure people can’t change the tags.
  • Put your organizational rules that will almost never change on your root account. You want to limit editing these rules the OrgRoot user who should login only on rare occasions when some abnormal event occurs.
  • Each policy should serve a single purpose and be easy to read as possible. Unfortunately due to SCP limits you may have to combine a few things but do it as little as possible.
  • If you find that you need to add more than 5 policies, consider a new OU (though in some cases you may combine statements in a particular OU if it makes sense and is still easy to read).
  • If you find accounts in a particular OU are requiring different policies and rules, create a new OU and move the accounts that need to abide by different rules into different OUs.
  • The default policy is an allow all policy. If you know with absolute certainty that there are certain resources that will never be used in your organization, you can add a deny statement for those resources to this policy.
  • However, you might want to leave the allow all policy alone and focus on denying egregious and non-compliant actions that should never occur, rather than trying to use SCPs for an Allow list — which is going to get complex very fast.
  • Use your IAM Policies, trust policies, and resource policies to create zero-trust allow list policies for resources and principles.
  • Adding account-specific policies is like attaching IAM policies to a single user. It’s going to make things more complicated to manage in most cases. Opt to break accounts in to separate OUs instead as much as possible.
  • If you have a very specific OU for a limited purpose, you could use an Allow List for that specific OU or account. Perhaps in fully automated single-purpose production accounts you could define a very restrictive OU.

Obviously, as with any architectural guidance, these are not hard and fast rules. You may find a valid reason to adjust them within your organizational structure. Additionally, if your rules are very complex, you might end up hitting the 5 level deep limit. Always look for ways to abstract out the commonalities to simplify your rules, without compromising the intent. Architecting policies is tricky business!

About the Governance Team

What about our governance team? If you you have been following along, you may recall that in a past post, I granted access to a governance team to manage service control policies in a governance account, but not the root SCPs.

In this post, we are only deploying some SCPs that apply to the root of our organization that only the Organizational Root user I created in this post can change.

These are policies we want to deploy across the organization on any account and that will likely rarely change and we don’t want to have inadvertently or maliciously changed under any circumstances.

Once we have those policies in place, then we will once again delegate authority to manage SCPs to the governance team, excluding the root account as we did before. Only this time, I noticed that AWS has added CloudFormation to allow you to deploy that policy, so we’ll use that instead.

Now that we’ve thought about how to architect our service control policies, we’ll go ahead and add some policies to our root OU in the next post.

Follow for updates.

Teri Radichel | © 2nd Sight Lab 2023

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab
Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation
Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab
Service Control Policy
Architecture
Iam
Governance
Cloud Security
Recommended from ReadMedium
avatarNurunnubi Talukder
Architecture of Amazon Connect!!

To architect Amazon Connect into the following layers — telephony, Amazon Connect interface/API, flows/IVR, agent workstation, and metrics…

3 min read
avatarDavid Ambros
AWS Cognito + Auth0 (OIDC) Authentication System Using IAM Authorization Type: Angular, Amplify…

All signed-in users will be assigned an IAM role, while non-signed-in ones will have another role.

11 min read
avatarAlexander Nguyen
The resume that got a software engineer a $300,000 job at Google.

1-page. Well-formatted.

4 min read
avatarEsteban
Level Up Your Cloud Security: A Quick Introduction to AWS IAM Identity Center

Hey AWS enthusiasts! As your friendly neighborhood community builder, I’m here to delve into a powerful tool for managing access and…

3 min read
avatarAki Ranin
The Death of SaaS

How AI will rewrite the rules of software, again

6 min read
avatarSeifeddine Rajhi
Secure the software supply chain with AWS Signer for signing and validating OCI artifacts

Ensuring the integrity and authenticity of containerized applications and Metadata

4 min read