Prevent Disabling Block Public Access

• Prevent Disabling Block Public Access
  • Overview
    • JSON Policy
    • Explanation
      • Statements
    • When to Use This Policy
    • Benefits
    • Potential Drawbacks
    • Summary
  • Sources

Overview

This AWS Service Control Policy (SCP) is designed to prevent the disabling of public access blocks on Amazon S3 buckets, AWS accounts, EC2 images, and EC2 snapshots. The policy ensures that only specified IAM roles can modify these critical security settings, helping to maintain the integrity of your cloud environment.

JSON Policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "PreventDisableBlockPublicAccess",
      "Effect": "Deny",
      "Action": [
        "s3:PutBucketPublicAccessBlock",
        "s3:PutAccountPublicAccessBlock",
        "ec2:DisableImageBlockPublicAccess",
        "ec2:DisableSnapshotBlockPublicAccess"
      ],
      "Resource": [
        "*"
      ],
      "Condition": {
        "StringNotLike": {
          "aws:PrincipalArn": [
            "arn:*:iam::*:role/NAME_OF_YOUR_CLOUD_ENGINEERING_ROLE",
            "arn:*:iam::*:role/OrganizationAccountAccessRole"
          ]
        }
      }
    }
  ]
}

Explanation

Statements

• Sid: "PreventDisableBlockPublicAccess" - A unique identifier for this specific statement within the policy.
• Effect: "Deny" - This policy denies the specified actions.
• Action: A list of actions related to disabling or modifying public access blocks that are denied:
  • s3:PutBucketPublicAccessBlock
  • s3:PutAccountPublicAccessBlock
  • ec2:DisableImageBlockPublicAccess
  • ec2:DisableSnapshotBlockPublicAccess
• Resource: "*" - The policy applies to all resources in the account.
• Condition: Additional conditions that refine the policy:
  • StringNotLike: Ensures the policy applies unless the aws:PrincipalArn matches the specified patterns, which are:
    • arn:*:iam::*:role/NAME_OF_YOUR_CLOUD_ENGINEERING_ROLE
    • arn:*:iam::*:role/OrganizationAccountAccessRole

When to Use This Policy

• Preventing Accidental Exposure: Use this policy to prevent accidental or unauthorized changes that could disable public access blocks, thereby exposing resources to the internet.
• Securing Data: Ensures that public access blocks, which are critical for securing data, remain enforced.

Benefits

• Enhanced Security: Prevents changes that could compromise the security of your data by disabling public access blocks.
• Controlled Management: Ensures that only designated roles with appropriate privileges can modify critical security settings.
• Compliance: Helps maintain compliance with security best practices by enforcing strict access control.

Potential Drawbacks

• Restricted Flexibility: May limit legitimate changes by administrators if their roles are not included in the exceptions.
• Management Overhead: Requires careful management to ensure the correct roles are allowed to make necessary changes when needed.

Summary

This SCP is an essential tool for maintaining the security of your AWS resources by preventing the disabling of public access blocks. By restricting this capability to specific IAM roles, it helps ensure that your data remains protected against unauthorized public access. Regularly review and update the policy to ensure it aligns with your organizational requirements and security policies.

Sources

• PrimeHarbor primeharbor