The conundrum of limiting access to modify a single service control policy | by Teri Radichel | Cloud Security | November 2023


Part of my series on Automation of cybersecurity measures. AWS Organizations. I AM. Deploy a static website. THE Coded.

Free content on Cybersecurity Jobs | Register at Broadcast list

In the last post, I automated the deployment of my AWS Organization Resource Policy which defines Managing Director accounts for the AWS Organizations service.

Next, I was going to add an admin user to the account I had delegated access to to the organizations, but I spent way too much time on this, so this becomes its own post.

I was thinking of creating a default admin user in each account in case of emergency. The admin user would be restricted by service control policies. I thought maybe I could write a single admin service control policy that would limit the new user’s access to my root-orgadmin account. The account will be all-powerful but didn’t want it – or any other admin – to be able to change the admin’s SCP.

I’ve encountered a few obstacles and probably won’t use SCP for this purpose.

What restrictions do we want to impose on our default admin users?

For the orgroot-root user, we want broad enough permissions to troubleshoot as needed across all accounts in case of an emergency.

The main service control policy I want to enforce right now is a restriction on changing other people’s credentials. I’ve looked at how to do this in previous articles with IAM policies.

Creating a service control policy for this based on principal was complicated, but I found a few additional possible options we can try:

Share This Article
Leave a comment