Introduction
AWS Organizations provides the capability to centrally manage and govern your AWS environment. As an organization, you can delegate administration of specific AWS services integrated with AWS Organizations to authorized individuals or teams. Implementing effective controls for these delegated administrators is essential to ensuring the security, compliance, and operational efficiency of your AWS environment.
This blog post outlines best practices for using IAM policy conditions, Permission boundaries, and Service Control Policies (SCPs) to enhance control and governance in AWS Organizations. By following this guidance, delegated administrators can:
- Apply fine-grained access controls through the use of IAM policy conditions in identity-based policies
- Limit the maximum permissions of IAM users and roles using permission boundaries
- Control the maximum available permissions for the IAM users and IAM roles in your organization through the application of Service Control Policies (SCPs)
- Implement a layered approach to controls that provides redundancy and mitigates potential gaps or errors
- Streamline the management of controls across multiple accounts and Organizational Units (OUs)
- Simplify the process of adhering to your organization’s security policies and compliance requirements
Getting Started with Controls
Let’s dive into how these control mechanisms can be effectively implemented and managed in your AWS environment. We’ll explore best practices, real-world examples, and key considerations for each type of control.
Implementing layered controls can provide additional safeguards and redundancy. However, it’s important to balance the added security benefits with the complexity of managing multiple overlapping policies. We’ll discuss how to find the right approach for your specific needs.
Understanding Preventative Controls
Preventative controls in AWS are predefined rules or policies that ensure resources adhere to organizational policies and best practices.
- Conditional Statements: Conditional statements in policies allow you to specify conditions under which a policy is in effect, providing finer-grained control over permissions.
- Permission Boundaries: Permission boundaries are managed policies that control the maximum permissions a principal (IAM user or role) can have. They limit the permissions granted by the principal’s identity-based policies.
- Service Control Policies (SCPs): SCP’s are policies that specify an account’s maximum permissions. They can be expressed in JSON or YAML and are attached to organizational units (OUs) or accounts within your AWS Organizations to help enforce permission controls across your organization.
Each mechanism – conditional statements, permission boundaries, and SCPs – has its strengths and can be used independently or in combination. A layered approach provides additional safeguards but may increase complexity. The optimal approach depends on your specific requirements, environment complexity, and internal processes. Carefully consider the tradeoffs between added security benefits and the overhead of managing multiple overlapping policies. Work closely with stakeholders to choose the right balance of control mechanisms that effectively enforce your security and compliance standards.
Conditional Statements
Conditions set specific parameters to allow or deny permissions in a policy. They can leverage resource tags, service-specific conditions, or global condition keys. For more information on the available operators and applications of conditions elements in IAM policies, see IAM JSON policy elements: Condition in the AWS Identity and Access Management User Guide.
AWS Config allows you to assess, audit, and evaluate the configurations of your AWS resources and is essential for multi-account infrastructures, especially when used with AWS Control Tower for detective controls. AWS Control Tower makes it easy for you to set up and govern a secure, multi-account AWS environment. Let’s explore how to apply conditional statements, permission boundaries, and Service Control Policies (SCPs) to AWS Config..
Using Conditional Statements with Resource Tags: Resource tags are key-value pairs attached to AWS resources, including Identity and Access Management (IAM) users and roles. They enable more granular access control policies based on tags associated with the principal or resource.
The example below restricts AWS Config access by Department. The following policy grants “config:*” permissions only to users tagged with “department”: “audit”.
This policy ensures only audit team members can perform AWS Config operations, enhancing access control precision.
There are several service-specific conditions, as well as, global condition keys that can be used to apply conditional statements to a policy. For more information, visit AWS global condition context keys in the AWS Identity and Access Management User Guide.
Best Practices for Using Conditional Statements
- Specify Conditions for Access: Use conditions in policies to specify when and how permissions are granted. (e.g., IP addresses, time of day, multi-factor authentication)
- Use Tags for Resource-Based Conditions: Implement tag-based conditions to control access to resources. This practice allows you to manage permissions based on resource tags.
- Combine Multiple Conditions: Use multiple conditions to create more granular policies. Combining conditions can help enforce strict access controls.
- Audit and Update Conditions: Regularly audit policies with conditional statements to ensure they remain effective and relevant. Update conditions as your organizational requirements change.
Permission Boundaries
Consider a large financial services company delegating AWS Config administration to an audit team. The company needs to ensure these auditors can perform necessary operations while limiting their maximum permissions to prevent unintended or malicious actions.
Permission boundaries define the maximum permissions a principal (IAM user or role) can have, regardless of their identity-based policies.
Step 1: Create a Permission Boundary Policy
The security team creates a policy that allows all AWS Config operations but explicitly denies the ability to delete Config rules, recorders, or delivery channels. This ensures auditors can manage day-to-day operations without disabling critical Config infrastructure.
Example Permission Boundary Policy:
- Log in to the AWS Management Console.
- Navigate to the IAM service.
- Create a new policy with the following JSON:
Additional Resources
- Service Control Policies (SCPs)
- IAM Permission Boundaries
- IAM Policy Elements: Condition
- AWS CloudTrail Documentation
- AWS Security Best Practices