Scps

Tips on using SCPs

• Quick Tip: Minimizing Terraformed SCPs
• Wiz, Scott Piper: Using Service Control Policies to protect security baselines
• Summit Route, Scott Piper: AWS SCP Best Practices
• Seshu Pasha: AWS Governance — Service Control Policies

Lists of Recommended SCPs

• AWS Organizations SCP Examples
• aws-samples/service-control-policy-examples
• Reducing Attack Surface with AWS Allowlisting
• PrimeHarbor/Chris Farris: org-kickstart/policies
• Latacora: latacora-service-control-policies
• asecure.cloud
• ScaleSec: terraform_aws_scp
• Ashish Rajan: aws-scp-best-practice-policies
• Summit Route, Scott Piper: AWS SCP Best Practices - Example SCPs
• Ian Mckay: List of expensive / long-term effect AWS IAM actions
• Welldone Cloud: aws-scps-for-sandbox-and-training-accounts

Additional examples:

# deny the usage of imdsv1
data "aws_iam_policy_document" "deny_imdsv1" {
  statement {
    sid    = "DenyIMDSv1"
    effect = "Deny"

    actions = [
      "*",
    ]

    resources = [
      "*",
    ]

    condition {
      test     = "NumericLessThan"
      variable = "ec2:RoleDelivery"
      values   = ["2.0"]
    }
  }
}
# deny creating public secrets
data "aws_iam_policy_document" "deny_public_secrets" {
  statement {
    sid    = "DenyPublicSecrets"
    effect = "Deny"

    actions = [
      "secretsmanager:PutResourcePolicy",
    ]

    resources = [
      "*",
    ]

    condition {
      test     = "Bool"
      variable = "secretsmanager:BlockPublicPolicy"
      values   = ["false"]
    }
  }
}

Visualization and Management

• scpkit
• Steampipe aws_organizations_policy_target + Node/Edge Visualizations#
• wut.dev
• aws-samples/scp-analyzer
• trussworks/terraform-aws-ou-scp