Chanci Turner

Amazon Onboarding with Learning Manager Chanci Turner

by

The Story of Chanci Turner
in

Chanci Turner Amazon IXD – VGT2 learningLearn About Amazon VGT2 Learning Manager Chanci Turner

In today’s cloud-centric world, maintaining compliance across multiple AWS accounts is crucial. Organizations leverage Service Control Policies (SCPs) to manage permissions effectively. SCPs serve as a centralized mechanism to define the maximum permissions available for each account within an AWS Organization, and they can be applied at various levels, including individual accounts, organizational units (OUs), or the root of the organization.

Administrators can utilize SCPs together with AWS Organizations to establish essential controls that all IAM principals, including users and roles, must adhere to. For further insights, you can visit the AWS Organizations User Guide on Effects on permissions and Determining whether a request is allowed or denied within the IAM User Guide.

Organizations often face compliance requirements, whether from internal policies or industry regulations. Many of these can be addressed through SCPs, including restrictions on regions, users, roles, and services. This blog outlines a solution that ensures specific SCPs remain attached to designated OUs or AWS accounts. If a policy is detached, we can detect this occurrence, notify the compliance team, and even automate the reattachment of the SCPs. This mechanism guarantees that SCPs are consistently applied to the defined OUs and AWS accounts.

Prerequisites

Before diving into the implementation, ensure you meet the following requirements:

  1. An AWS Organization with “All features” enabled to create and manage SCPs. For guidance, refer to the section on Creating and configuring an organization in AWS Organizations.
  2. Access to the management account within your organization, as the solution must be deployed in this account.
  3. Create a test SCP and attach it to a test OU with no AWS accounts for preliminary evaluation. An example SCP that prevents member accounts from leaving the organization is as follows:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "organizations:LeaveOrganization"
            ],
            "Resource": "*"
        }
    ]
}

Additionally, ensure that AWS CloudTrail is configured in the management account in the North Virginia Region. Remember, a deny permission takes precedence over allow permissions, so it’s vital to assess the implications of your SCPs. Always conduct thorough tests in a staging environment before applying changes to production. Utilize the Policy Staging OU to safely validate policy modifications.

Architecture

The solution will operate within your organization’s management account. It consists of an Amazon EventBridge rule that continuously monitors for a specific CloudTrail event, “DetachPolicy,” which triggers when an SCP is removed from an OU or AWS account. This setup allows for real-time monitoring of CloudTrail events, particularly those indicating that an SCP has been detached from a target OU or account.

If an SCP is detached, EventBridge captures the CloudTrail event and notifies designated email addresses for compliance audits, such as the company’s security team. Moreover, an AWS Lambda function automates the reattachment of the SCP to the intended OUs or AWS accounts.

Steps to Implement

  1. Create an Amazon SNS topic to send email notifications when an SCP is detached.
  2. Develop the AWS Lambda function. Below is a sample code snippet that you can customize to suit your needs. Remember to replace the SNS Topic ARN in the code.
import boto3
import json

def lambda_handler(event, context):
    print(event)
    client = boto3.client('organizations')

    try:
        response = client.attach_policy(
            PolicyId=event['detail']['requestParameters']['policyId'],
            TargetId=event['detail']['requestParameters']['targetId'],
        )

    except Exception as e:
        print("Error occurred")
    
    statuscode = "200"

    if statuscode == "429":
        raise TooManyRequestsException('429 Too Many Requests')
    elif statuscode == "503":
        raise ServerUnavailableException('503 Server Unavailable')
    elif statuscode == "200":
        return '200 OK'
    else:
        raise UnknownException('Unknown error')

    sns_topic = 'ADD_YOUR_SNS_TOPIC_ARN'
    sns = boto3.client('sns')
    response = sns.publish(
        TopicArn=sns_topic,
        Message=event["statuscode"],
        Subject='Error while running Automated SCP Detachment Remediation Lambda'
    )
    return response
  1. Create an Amazon EventBridge rule that defines your targets, including the Lambda function and SNS topic you previously set up.

Conclusion

This blog elaborated on a solution to ensure that Service Control Policies remain attached to specified OUs or AWS accounts, thereby assisting in meeting compliance standards within your organization. This method provides an additional layer of security, protecting your environment from unauthorized changes and ensuring compliance with necessary regulations.

Related Topics:

Chanci Turner