Introduction#

SCP enforce policies into multiple accounts within an OU or multiple OUs. For example, dev department can only launch t2.small instances.

  • create multiple accounts
  • create organization units
  • move accounts into OU
  • apply SCP (allow and deny)
AWS Organizations SCP (Service Control Policy)

Basic Organizations CLI#

list active accounts

aws organizations list-accounts \
  --query '[Accounts[?Status==`ACTIVE`]]'

list root organization

aws organizations list-roots

take note the parent id

export PARENT_ID=xxxx

list organization units

aws organizations list-organizational-units-for-parent \
  --parent-id $PARENT_ID

Create Accounts and OUs#

create an account in each OU

aws organizations create-account \
      --email hai+meaccount4@entest.io \
      --account-name me-account4

take note dev account id

export ME_ACCOUNT_ID = xxxx

create security and dev OUs and take note OU id

aws organizations create-organizational-unit \
  --parent-id $PARENT_ID \
  --name Dev
export DEV_OU_ID = xxx

move an account into an OU

aws organizations move-account \
  --account-id $ME_ACCOUNT_ID \
  --source-parent-id $PARENT_ID \
  --destination-parent-id $DEV_OU_ID

close an account

aws organizations close-account \
  --account-id $DEV_ACCOUNT_ID

Apply SCP to OUs#

require dev to use specific ec2 instance type

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "RequireMicroInstanceType",
      "Effect": "Deny",
      "Action": "ec2:RunInstances",
      "Resource": ["arn:aws:ec2:*:*:instance/*"],
      "Condition": {
        "StringNotEquals": {
          "ec2:InstanceType": "t2.micro"
        }
      }
    }
  ]
}

create a scp

aws organizations create-policy \
      --content file://policy.json \
      --name SCPPolicyDemoFromCli \
      --type SERVICE_CONTROL_POLICY \
      --description test

take note policy id

export POLICY_ID=xxxx

attach scp policy to an OU

aws organizations attach-policy \
  --policy-id $POLICY_ID \
  --target-id $DEV_OU_ID \

aws organizations attach a default role to the account created within the unit. switch role and check permssion

OrganizationAccountAccessRole

deny dev to create dynamodb db table

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyCreateDDBTable",
      "Effect": "Deny",
      "Action": "dynamodb:CreateTable",
      "Resource": ["*"]
    }
  ]
}

update policy

aws organizations update-policy \
  --policy-id $POLICY_ID \
  --content file://update_policy.json

References#

  1. best practice scp

  2. scp examples