Profile Applicability:
- Level 1
Description:
Service Control Policies (SCPs) are a feature of AWS Organizations that allow administrators to control the maximum available permissions for accounts within an organization. SCPs can be used to restrict access to specific AWS regions for all accounts in the organization or specific organizational units (OUs). This SOP ensures that the regions available for use within an AWS Organization are controlled through SCPs to mitigate potential risks related to resource provisioning or data residency.
Rationale:
Security: Restricting the use of AWS regions helps ensure that sensitive data does not reside in unapproved regions and reduces the attack surface by limiting the regions available for launching resources.
Compliance: Certain regulatory frameworks (e.g., GDPR, HIPAA) require the use of specific regions or mandate data to reside in certain geographies. SCPs can help enforce this requirement.
Governance: By restricting regions, an organization can better align resource provisioning with its business strategy and compliance needs.
Impact:
Pros:
Improved Security: Prevents the creation of resources in regions that are not approved or are deemed insecure.
Compliance: Ensures that resources are provisioned in geographically compliant regions.
Operational Control: Provides better control over where resources are deployed, reducing the likelihood of misconfigurations.
Cons:
Operational Complexity: Managing SCPs for multiple regions may increase the complexity of account and region configuration management.
Service Availability: Restricting regions may limit access to certain AWS services or features that are available in specific regions.
Default Value:
By default, AWS Organizations does not restrict any regions. Any region can be used for resource provisioning unless an SCP policy is created to restrict access to specific regions.
Pre-requisite:
AWS IAM Permissions:
organizations:DescribePolicies
organizations:ListPolicies
organizations:DescribeOrganization
organizations:ListAccounts
AWS CLI installed and configured.
AWS Organizations setup with organizational units (OUs) and SCP policies already applied.
Remedation:
Test Plan:
Using AWS Console:
Sign in to the AWS Management Console.
Navigate to AWS Organizations under Services.
In the Organizations Console, go to Policies.
Check if any SCPs are applied to the root or any organizational units (OUs).
Review the policy details to see if there are any restrictions listed under the "Action" and "Region" sections. For example:
Ensure that the policy includes conditions that restrict specific regions, such as aws:RequestedRegion or explicit Deny actions for specific regions.
If no restrictions are present, proceed with the Implementation Steps to create or review SCP policies.
Using AWS CLI:
To list the policies attached to your organization, run the following command:
aws organizations list-policies --filter SERVICE_CONTROL_POLICY
To describe the details of a specific SCP policy, run:
aws organizations describe-policy --policy-id <policy-id>
In the output, verify if there are any actions related to restricting regions (e.g., aws:RequestedRegion):
{ "PolicySummary": { "Id": "p-xxxxxxxx", "Name": "RestrictRegionsPolicy", "Description": "Policy to restrict regions", "Type": "SERVICE_CONTROL_POLICY", "AwsManaged": false, "Content": "{ \"Version\": \"2012-10-17\", \"Statement\": [{ \"Effect\": \"Deny\", \"Action\": \"*\", \"Resource\": \"*\", \"Condition\": { \"StringEquals\": { \"aws:RequestedRegion\": [ \"us-east-1\", \"us-west-2\" ] }}}]}" } }
If no SCP is found that restricts regions, proceed to the Implementation Steps.
Implementation Steps:
Using AWS Console:
Sign in to the AWS Management Console.
Navigate to AWS Organizations.
In the Organizations Console, go to Policies and click Create Policy.
Select Service Control Policy and define a policy that restricts access to certain AWS regions. For example:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestedRegion": ["us-east-1", "us-west-1"]
}
}
}
]
}Attach the SCP to the root or specific organizational units (OUs) where you want to enforce the region restrictions.
Save the policy and verify that it has been applied to the desired accounts or OUs.
Using AWS CLI:
To create an SCP that restricts access to specific AWS regions, run:
aws organizations create-policy --name "RestrictRegionsPolicy" --description "Deny access to specific regions" --type SERVICE_CONTROL_POLICY --content '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": "*", "Resource": "*", "Condition": { "StringEquals": { "aws:RequestedRegion": ["us-east-1", "us-west-1"] } } } ] }'
To apply the policy to the root or specific OUs, run:
aws organizations attach-policy --policy-id <policy-id> --target-id <target-id>
Verify that the policy is applied by listing the attached policies:
aws organizations list-policies --filter SERVICE_CONTROL_POLICY
Backout Plan:
Using AWS Console:
Go to Policies → SCPs, select the policy.
Choose Detach from the target accounts or OUs.
Optionally, delete the policy.
Using AWS CLI:
Detach the SCP:
aws organizations detach-policy \ --policy-id <POLICY_ID> \ --target-id <ROOT_OR_OU_ID>
Delete the policy (if no longer needed):
aws organizations delete-policy --policy-id <POLICY_ID>