Deny Making Agreement Purchases and Reservations

• Policy Overview
  • Policy JSON
  • Explanation
    • Policy Elements
    • Conditions and Exceptions
  • When to Use This Policy
  • Benefits
  • Potential Drawbacks
  • Conclusion
• Sources

Policy Overview

This AWS Service Control Policy (SCP) is designed to deny a specific set of high-risk actions across various AWS services, unless the actions are performed by designated IAM roles. This helps in mitigating the risk of accidental or unauthorized changes that could lead to security vulnerabilities, unexpected costs, or other operational issues.

Policy JSON

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": [
        "athena:CreateCapacityReservation",
        "aws-marketplace:AcceptAgreementRequest",
        "aws-marketplace:CreateAgreementRequest",
        "aws-marketplace:CreatePrivateMarketplaceRequests",
        "aws-marketplace:Subscribe",
        "backup:PutBackupVaultLockConfiguration",
        "bedrock:CreateFoundationModelAgreement",
        "bedrock:CreateProvisionedModelThroughput",
        "cloudfront:CreateSavingsPlan",
        "devicefarm:PurchaseOffering",
        "directconnect:ConfirmCustomerAgreement",
        "dynamodb:PurchaseReservedCapacityOfferings",
        "ec2:AcceptReservedInstancesExchangeQuote",
        "ec2:CreateCapacityReservation",
        "ec2:CreateCapacityReservationFleet",
        "ec2:CreateReservedInstancesListing",
        "ec2:LockSnapshot",
        "ec2:PurchaseCapacityBlock",
        "ec2:PurchaseHostReservation",
        "ec2:PurchaseReservedInstancesOffering",
        "ec2:PurchaseScheduledInstances",
        "eks:CreateEksAnywhereSubscription",
        "elasticache:PurchaseReservedCacheNodesOffering",
        "elemental-appliances-software:CreateOrderV1",
        "elemental-appliances-software:SubmitOrderV1",
        "es:PurchaseReservedElasticsearchInstanceOffering",
        "es:PurchaseReservedInstanceOffering",
        "freertos:CreateSubscription",
        "glacier:CompleteVaultLock",
        "glacier:PurchaseProvisionedCapacity",
        "groundstation:ReserveContact",
        "iottwinmaker:UpdatePricingPlan",
        "iq:ApprovePaymentRequest",
        "mediaconnect:PurchaseOffering",
        "medialive:PurchaseOffering",
        "memorydb:PurchaseReservedNodesOffering",
        "outposts:CreateOrder",
        "panorama:ProvisionDevice",
        "quicksight:Subscribe",
        "quicksight:UpdateSPICECapacityConfiguration",
        "rbin:LockRule",
        "rds:PurchaseReservedDBInstancesOffering",
        "redshift:AcceptReservedNodeExchange",
        "redshift:PurchaseReservedNodeOffering",
        "route53domains:AcceptDomainTransferFromAnotherAwsAccount",
        "route53domains:RegisterDomain",
        "route53domains:RenewDomain",
        "route53domains:TransferDomain",
        "route53domains:TransferDomainToAnotherAwsAccount",
        "s3:PutBucketObjectLockConfiguration",
        "s3:PutObjectLegalHold",
        "s3:PutObjectRetention",
        "s3-object-lambda:PutObjectLegalHold",
        "s3-object-lambda:PutObjectRetention",
        "savingsplans:CreateSavingsPlan",
        "shield:CreateSubscription",
        "snowball:CreateJob",
        "snowball:CreateLongTermPricing"
      ],
      "Resource": "*",
      "Condition": {
        "StringNotLike": {
          "aws:PrincipalArn": [
            "arn:*:iam::*:role/NAME_OF_YOUR_CLOUD_ENGINEERING_ROLE",
            "arn:*:iam::*:role/OrganizationAccountAccessRole"
          ]
        }
      }
    }
  ]
}

Explanation

Policy Elements

• Effect: Deny
  • This specifies that the actions listed under this policy will be denied.
• Action: A comprehensive list of high-risk actions from various AWS services.
  • These actions typically involve financial commitments, security configurations, or significant changes to AWS resources.
• Resource: *
  • The policy applies to all resources in the account.
• Condition:
  • StringNotLike: Ensures that the actions are denied for all principals except those specified.
  • aws:PrincipalArn: Lists the IAM roles that are allowed to perform the actions.

Conditions and Exceptions

• The StringNotLike condition allows exceptions for IAM roles specified in the aws:PrincipalArn list. This ensures that only trusted roles can perform the specified actions, enhancing security and control.

When to Use This Policy

• Use Case: Apply this policy to prevent unauthorized or accidental execution of high-risk actions that could incur costs or affect security and operations.
• Ideal For: Organizations that need to enforce strict controls on resource provisioning, financial commitments, and security configurations across multiple AWS services.

Benefits

• Enhanced Security: Prevents unauthorized changes to critical configurations and resources.
• Cost Management: Reduces the risk of unexpected charges by controlling actions that involve financial commitments.
• Operational Stability: Helps maintain consistent and stable operations by limiting high-impact actions to designated roles.

Potential Drawbacks

• Increased Management Overhead: Requires careful management of the IAM roles listed in the exceptions to ensure the right balance between security and operational flexibility.
• Potential for Misconfiguration: Misconfigurations in the policy or the IAM roles can lead to operational disruptions if legitimate actions are inadvertently denied.

Conclusion

Implementing this Service Control Policy enhances security and operational control within your AWS environment. It ensures that high-risk actions are only performed by trusted roles, mitigating the risk of accidental or unauthorized changes. Regular review and updates of the IAM roles specified in the policy are recommended to adapt to the evolving needs and structure of the organization.

Sources

• PrimeHarbor primeharbor
• Welldone Cloud welldone-cloud