AWS organizations documentation change
Summary
Restructured introduction section to emphasize SCP fundamentals and testing requirements, replaced detailed policy examples with a link to GitHub repository, and updated section headings
Security assessment
The changes enhance documentation about security guardrails by clarifying SCP behavior (coarse-grained deny policies requiring explicit IAM permissions), emphasizing testing procedures to prevent accidental lockouts, and explaining policy evaluation logic. No specific vulnerability is addressed, but security best practices are reinforced through improved explanations of permission boundaries.
Diff
diff --git a/organizations/latest/userguide/orgs_manage_policies_scps_examples.md b/organizations/latest/userguide/orgs_manage_policies_scps_examples.md index e51d392f4..006eabece 100644 --- a//organizations/latest/userguide/orgs_manage_policies_scps_examples.md +++ b//organizations/latest/userguide/orgs_manage_policies_scps_examples.md @@ -4,0 +5,2 @@ +GitHub repository + @@ -11,3 +13 @@ The example [service control policies (SCPs)](./orgs_manage_policies_scps.html) -Before you use these example SCPs in your organization, do the following: - - * Carefully review and customize the SCPs for your unique requirements. +Before you use these example SCPs in your organization, consider the following: @@ -15 +15 @@ Before you use these example SCPs in your organization, do the following: - * Thoroughly test the SCPs in your environment with the AWS services that you use. + * [Service control policies (SCPs)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html) are meant to be used as coarse-grained guardrails, and they don't directly grant access. The administrator must still attach [identity-based or resource-based policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_identity-vs-resource.html) to IAM principals or resources in your accounts to actually grant permissions. The effective permissions are the logical intersection between the Service control policy/Resource control policy and an identity policy or the Service control policy/Resource control policy and a resource policy. You can get more details about SCP effects on permissions [here](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html#scp-effects-on-permissions). @@ -17 +17 @@ Before you use these example SCPs in your organization, do the following: -The example policies in this section demonstrate the implementation and use of SCPs. They're **_not_** intended to be interpreted as official AWS recommendations or best practices to be implemented exactly as shown. It is your responsibility to carefully test any deny-based policies for its suitability to solve the business requirements of your environment. Deny-based service control policies can unintentionally limit or block your use of AWS services unless you add the necessary exceptions to the policy. For an example of such an exception, see the first example that exempts global services from the rules that block access to unwanted AWS Regions. + * A [Service control policy (SCP)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html), when attached to an organization, organization unit or an account offers a central control over the maximum available permissions for all accounts in your organization, organization unit or an account. As an SCP can be applied at multiple levels in an organization, understanding how [SCPs are evaluated](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_evaluation.html) can help you write SCPs that yield the right outcome. @@ -19 +19 @@ The example policies in this section demonstrate the implementation and use of S - * Remember that an SCP affects every user and role, including the root user, in every account that it's attached to. + * The service control policies in this repository are shown as examples. You should not attach SCPs without thoroughly testing the impact that the policy has on accounts. Once you have a policy ready that you would like to implement, we recommend testing in a separate organization or OU that can be represent your production environment. Once tested, you should deploy changes to more specific OUs and then slowly deploy the changes to broader and broader OUs over time. @@ -21 +21 @@ The example policies in this section demonstrate the implementation and use of S - * Remember that an SCP does not affect service-linked roles. Service-linked roles enable other AWS services to integrate with AWS Organizations and can't be restricted by SCPs. + * The SCP examples in this repository use a [deny list strategy](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_evaluation.html#strategy_using_scps), which means that you also need a [FullAWSAccess](https://console.aws.amazon.com/organizations/?#/policies/p-FullAWSAccess) policy or other policy that allows access attached to your organization entities to allow actions. You still also need to grant appropriate permissions to your principals by using identity-based or resource-based policies. @@ -30,83 +30 @@ You can use [service last accessed data](https://docs.aws.amazon.com/IAM/latest/ -Each of the following policies is an example of a [deny list policy](./orgs_manage_policies_scps_evaluation.html#how_scps_deny) strategy. Deny list policies must be attached along with other policies that allow the approved actions in the affected accounts. For example, the default `FullAWSAccess` policy permits the use of all services in an account. This policy is attached by default to the root, all organizational units (OUs), and all accounts. It doesn't actually grant the permissions; no SCP does. Instead, it enables administrators in that account to delegate access to those actions by attaching standard AWS Identity and Access Management (IAM) permissions policies to users, roles, or groups in the account. Each of these deny list policies then overrides any policy by blocking access to the specified services or actions. - -###### Contents - - * [General examples](./orgs_manage_policies_scps_examples_general.html) - - * [ Deny access to AWS based on the requested AWS Region](./orgs_manage_policies_scps_examples_general.html#example-scp-deny-region) - - * [ Prevent IAM users and roles from making certain changes](./orgs_manage_policies_scps_examples_general.html#example-scp-restricts-iam-principals) - - * [ Prevent IAM users and roles from making specified changes, with an exception for a specified admin role](./orgs_manage_policies_scps_examples_general.html#example-scp-restricts-with-exception) - - * [ Require MFA to perform an API operation](./orgs_manage_policies_scps_examples_general.html#example-scp-mfa) - - * [ Block service access for the root user](./orgs_manage_policies_scps_examples_general.html#example-scp-root-user) - - * [ Prevent member accounts from leaving the organization](./orgs_manage_policies_scps_examples_general.html#example-scp-leave-org) - - * [Example SCPs for Amazon Bedrock](./orgs_manage_policies_scps_examples_bedrock.html) - - * [Deny access to specific Amazon Bedrock models](./orgs_manage_policies_scps_examples_bedrock.html#example-bedrock-1) - - * [Restrict access to specific Amazon Bedrock models or model families across an entire organization](./orgs_manage_policies_scps_examples_bedrock.html#example-bedrock-2) - - * [Restrict creation and use of Amazon Bedrock API keys](./orgs_manage_policies_scps_examples_bedrock.html#example-bedrock-3) - - * [Restrict creation of long-term Amazon Bedrock API keys valid beyond 30 days](./orgs_manage_policies_scps_examples_bedrock.html#example-bedrock-4) - - * [Example SCPs for Amazon Q Developer in chat applications](./orgs_manage_policies_scps_examples_chatbot.html) - - * [Deny all IAM operation](./orgs_manage_policies_scps_examples_chatbot.html#example_cloudwatch_1) - - * [Deny S3 bucket put requests from a specified Slack channel](./orgs_manage_policies_scps_examples_chatbot.html#example_cloudwatch_2) - - * [Example SCPs for Amazon CloudWatch](./orgs_manage_policies_scps_examples_cloudwatch.html) - - * [ Prevent users from disabling CloudWatch or altering its configuration](./orgs_manage_policies_scps_examples_cloudwatch.html#example_cloudwatch_1) - - * [Example SCPs for AWS Config](./orgs_manage_policies_scps_examples_config.html) - - * [ Prevent users from disabling AWS Config or changing its rules](./orgs_manage_policies_scps_examples_config.html#example_config_1) - - * [Example SCPs for Amazon Elastic Compute Cloud (Amazon EC2)](./orgs_manage_policies_scps_examples_ec2.html) - - * [Require Amazon EC2 instances to use a specific type](./orgs_manage_policies_scps_examples_ec2.html#example-ec2-1) - - * [Prevent launching EC2 instances without IMDSv2](./orgs_manage_policies_scps_examples_ec2.html#example-ec2-2) - - * [Prevent disabling of default Amazon EBS encryption](./orgs_manage_policies_scps_examples_ec2.html#example-ec2-3) - - * [Prevent creating and attaching non-gp3 volumes](./orgs_manage_policies_scps_examples_ec2.html#example-ec2-4) - - * [Example SCPs for Amazon GuardDuty](./orgs_manage_policies_scps_examples_guardduty.html) - - * [ Prevent users from disabling GuardDuty or modifying its configuration](./orgs_manage_policies_scps_examples_guardduty.html#example_guardduty_1) - - * [Example SCPs for AWS Resource Access Manager](./orgs_manage_policies_scps_examples_ram.html) - - * [ Preventing external sharing](./orgs_manage_policies_scps_examples_ram.html#example_ram_1) - - * [Restrict resource sharing to specific account IDs](./orgs_manage_policies_scps_examples_ram.html#example_ram_2) - - * [ Prevent sharing with organizations or organizational units (OUs)](./orgs_manage_policies_scps_examples_ram.html#example_ram_3) - - * [ Allow sharing with only specified IAM users and roles](./orgs_manage_policies_scps_examples_ram.html#example_ram_4) - - * [Example SCPs for Amazon Application Recovery Controller (ARC)](./orgs_manage_policies_scps_examples_app_rec_con.html) - - * [Prevent users from updating ARC routing control states](./orgs_manage_policies_scps_examples_app_rec_con.html#example_app_rec_con) - - * [Example SCPs for Amazon S3](./orgs_manage_policies_scps_examples_s3.html) - - * [Prevent Amazon S3 unencrypted object uploads](./orgs_manage_policies_scps_examples_s3.html#example-s3-1) - - * [Example SCPs for tagging resources](./orgs_manage_policies_scps_examples_tagging.html) - - * [ Require a tag on specified created resources](./orgs_manage_policies_scps_examples_tagging.html#example-require-tag-on-create) - - * [ Prevent tags from being modified except by authorized principals](./orgs_manage_policies_scps_examples_tagging.html#example-require-restrict-tag-mods-to-admin) - - * [Example SCPs for Amazon Virtual Private Cloud (Amazon VPC)](./orgs_manage_policies_scps_examples_vpc.html) - - * [ Prevent users from deleting Amazon VPC flow logs](./orgs_manage_policies_scps_examples_vpc.html#example_vpc_1) +## GitHub repository @@ -114 +32 @@ Each of the following policies is an example of a [deny list policy](./orgs_mana - * [ Prevent any VPC that doesn't already have internet access from getting it](./orgs_manage_policies_scps_examples_vpc.html#example_vpc_2) + * [Service control policy examples](https://github.com/aws-samples/service-control-policy-examples) \- This GitHub repository contains example policies to get started or mature your usage of AWS SCPs @@ -127 +45 @@ SCP syntax -General examples +Troubleshooting