An SCP to Prevent Unwanted AWS MarketPlace Subscriptions in New AWS Accounts | by Teri Radichel | Cloud Security | January 2024

esteria.white

Reply to a problem I just saw on X (Twitter)

I just saw an article saying people are getting unwanted AWS Marketplace subscriptions to the tune of $3000 added to new accounts.

First, if this is a standalone account or the first account you create in a new organization, you should immediately create a new user with limited permissions prohibiting things you don’t want to happen in the root account . Then log in as that user and never use the root user in the top-level organization account.

Once you create a new account, you should rarely need to use a user in the root account. Log in as a user in another account and make sure to apply multi-factor authentication on role assumptions to access the root account. I’ve shown how to do this in many articles and will do it again shortly.

I created a user, policy and role that prohibits the creation of new users in the initial AWS account, for example in a previous article. I’ve gone through a few iterations to get this done and I think I’ll also add a limitation on AWS Marketplace.

You must configure an AWS organization so that you can take advantage of service control policies (SCPs) or restrictions on new accounts and users across all your accounts.

I wrote here about the latest iteration of my AWS Organizations container that initializes new top-level organization accounts with a new user:

Once you have an organization, you can create Service Control Policies (SCP) and you can create one that restricts the use of AWS Marketplace across your organization, as well as a limitation on the regions that can be used.

I explained SCPs here:

Leave a comment