Account Takeover Prevention
AWS Service Control Policy: Preventing Unauthorized Changes
This Service Control Policy (SCP) is designed to protect your AWS account from unauthorized changes that could compromise security or disrupt operations. Specifically, it prevents an attacker with admin or root permissions from disabling local logging, changing the account owner, or removing the account from your organization.
Policy Details
Scope: This SCP should be applied to the Root Organizational Unit (OU).
JSON Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ProtectCloudTrail",
"Effect": "Deny",
"Action": [
"cloudtrail:DeleteTrail",
"cloudtrail:PutEventSelectors",
"cloudtrail:StopLogging",
"cloudtrail:UpdateTrail"
],
"Resource": "*"
},
{
"Sid": "ProtectAccountSettings",
"Effect": "Deny",
"Action": [
"aws-portal:Modify*"
],
"Resource": "*"
},
{
"Sid": "DenyLeaveOrganization",
"Effect": "Deny",
"Action": [
"organizations:LeaveOrganization"
],
"Resource": "*"
}
]
}
Policy Breakdown
-
ProtectCloudTrail
- Sid:
ProtectCloudTrail - Effect: Deny
- Actions:
cloudtrail:DeleteTrailcloudtrail:PutEventSelectorscloudtrail:StopLoggingcloudtrail:UpdateTrail
- Resource:
* - Description: Prevents the deletion, modification, or stopping of AWS CloudTrail logging, ensuring that all activities within the account are logged and can be audited.
- Sid:
-
ProtectAccountSettings
- Sid:
ProtectAccountSettings - Effect: Deny
- Actions:
aws-portal:Modify*
- Resource:
* - Description: Prevents modifications to the account settings in the AWS Management Console, safeguarding against unauthorized changes to billing and account information.
- Sid:
-
DenyLeaveOrganization
- Sid:
DenyLeaveOrganization - Effect: Deny
- Actions:
organizations:LeaveOrganization
- Resource:
* - Description: Prevents the account from leaving the AWS Organization, ensuring that the account remains under the organization's control.
- Sid:
Benefits
- Enhanced Security: By restricting critical actions, this policy mitigates the risk of malicious or accidental changes that could compromise the security and integrity of your AWS environment.
- Auditability: Ensuring that CloudTrail logging cannot be disabled helps maintain a comprehensive audit trail of all actions performed in the account.
- Organizational Control: Preventing the account from leaving the organization maintains centralized control and governance.
Potential Drawbacks
- Operational Overhead: If legitimate changes need to be made to CloudTrail settings or account configurations, these restrictions could require temporary lifting of the policy or the involvement of a higher level of administrative oversight.
- Complexity: Managing exceptions and ensuring that the SCP does not interfere with necessary operations can add complexity to account management.
Implementation Steps
-
Apply the SCP to the Root OU:
- Navigate to the AWS Organizations console.
- Select the Root OU.
- Attach the above SCP to ensure it is enforced across all accounts within the Root OU.
-
Review and Test:
- Verify that the policy does not interfere with necessary operations by testing in a controlled environment.
- Monitor for any issues and adjust as necessary.
By implementing this SCP, you can strengthen the security posture of your AWS accounts, ensuring that critical logging remains intact and account settings are protected from unauthorized changes.
Sources
- PrimeHarbor primeharbor