Cloud Security
Published in

Cloud Security

AWS Service Control Policies

Governance: Setting security controls at the organizational level

  • Create or choose a principal that is allowed to deploy SCPs.
  • Create or choose a principal that is allowed to manage domain names (transfers, register, deregister).
  • Create an SCP that denies all but our SCP admin to create, modify or delete SCPs.
  • Create an SCP to require MFA for all role assumptions for users.
  • Create an SCP that denies all but our domain administrator principal perform the Route 53 domain actions and only in the domains account.
  • Create an SCP to deny PassRole to any user because as noted we currently don’t need that permission and it poses a risk. (We are using roles with the CLI and requiring MFA.) We can restore this permission if and when we need it later.
  • Create a PermissionBoundary that only allows users to change their own password, manage their own MFA keys, or add their own developer keys. *
  • Create an SCP to Deny anyone but our IAM Admin from using the CreateUser permission and can only add a user with the specified PermissionBoundary.
  • Limit root account actions.
  • Prevent the account from being removed from the organization to circumvent the rules.
for this story or refer others to follow me.
Follow on Medium: Teri Radichel
Sign up for Email List: Teri Radichel
Follow on Twitter: @teriradichel
Follow on Mastodon:
Follow on Post: @teriradichel
Like on Facebook: 2nd Sight Lab
Buy a Book: Teri Radichel on Amazon
Buy me a coffee:
Teri Radichel
Request services via LinkedIn:
Teri Radichel or through IANS Research
Slideshare: Presentations by Teri Radichel
Speakerdeck: Presentations by Teri Radichel
Recognition: SANS Difference Makers Award, AWS Hero, IANS Faculty
Certifications: SANS
Education: BA Business, Master of Sofware Engineering, Master of Infosec
How I got into security: Woman in tech
Company (Penetration Tests, Assessments, Training): 2nd Sight Lab



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Teri Radichel

Cloud Security Training and Penetration Testing | GSE, GSEC, GCIH, GCIA, GCPM, GCCC, GREM, GPEN, GXPN | AWS Hero | Infragard | IANS Faculty |