AWS Organizations | Control management Flashcards
Can I control who in my AWS account can accept an invitation to join an organization?
Control management
AWS Organizations | Security, Identity & Compliance
Yes. Using IAM permissions, you can grant or deny users in your account the ability to accept or decline invitations to join an organization. The following policy grants access to view and manage invitations in an AWS account:
{
“Version”:”2012-10-17”,
“Statement”:[
{
“Effect”:”Allow”,
“Action”:[
“organizations:AcceptHandshake”,
“organizations:DeclineHandshake”,
“organizations:DescribeHandshake”,
“organizations:ListHandshakesForAccount”
],
“Resource”:” *”
}
]
}
For more information, see Using Identity-Based Policies (IAM Policies) for AWS Organizations.
At what levels of my organization can I apply a policy?
Control management
AWS Organizations | Security, Identity & Compliance
You can attach a policy to the root of your organization (applies to all accounts in your organization), to individual organizational units (OUs), which applies to all accounts in the OU including nested OUs, or to individual accounts.
How can I attach a policy?
Control management
AWS Organizations | Security, Identity & Compliance
You can attach a policy in one of two ways:
In the AWS Organizations console, navigate to where you want to assign the policy (the root, an OU, or an account), and then choose Attach Policy.
In the Organizations console, choose the Policies tab and do one of the following:
Choose an existing policy, choose Attach Policy from the Actions drop-down list, and then choose the root, OU, or account to which you want to attach the policy.
Choose Create Policy, and then as part of the policy creation workflow, choose the root, OU, or account to which you want to attach the new policy.
For more information, see Managing Policies.
Are policies inherited through hierarchical connections in my organization?
Control management
AWS Organizations | Security, Identity & Compliance
Yes. For example, let’s assume that you have arranged your AWS accounts into OUs according to your application development stages: DEV, TEST, and PROD. Policy P1 is attached to the organization’s root, policy P2 is attached to the DEV OU, and policy P3 is attached to AWS account A1 in the DEV OU. With this setup, P1+P2+P3 all apply to account A1.
For more information, see About Service Control Policies.
What types of policies does AWS Organizations support?
Control management
AWS Organizations | Security, Identity & Compliance
Currently, AWS Organizations supports Service Control Policies (SCPs). You can use SCPs to define and enforce the actions that IAM users, groups, and roles can perform in the accounts to which the SCP is applied.
What is a Service Control Policy (SCP)?
Control management
AWS Organizations | Security, Identity & Compliance
Service Control Policies (SCPs) allow you to control which AWS service actions are accessible to principals (account root, IAM users, and IAM roles) in the accounts of your organization. An SCP is required but is not the only control that determines which principals in an account can access resources to grant principals in an account access to resources. The effective permission on a principal in an account that has an SCP attached is the intersection of what is allowed explicitly in the SCP and what is allowed explicitly in the permissions attached to the principal. For example, if an SCP applied to an account states that the only actions allowed are Amazon EC2 actions, and the permissions on a principal in the same AWS account allow both EC2 actions and Amazon S3 actions, the principal is able to access only the EC2 actions.
Principals in a member account (including the root user for the member account) cannot remove or change SCPs that are applied to that account.
What does an SCP look like?
Control management
AWS Organizations | Security, Identity & Compliance
SCPs follow the same rules and grammar as IAM policies, except you can not specify conditions and the resource section must be equal to “*”. You can use an SCP to deny or allow access to AWS service actions.
Whitelist example
The following SCP grants access to all EC2 and S3 service actions in the AWS account. All principals (account root, IAM user, and IAM role) in an account with this SCP applied will not be able to access any other actions, no matter which IAM policies are directly assigned to them. Those IAM policies must explicitly grant EC2 or S3 service actions for the principals to access them.
{
“Version”:”2012-10-17”,
“Statement”:[
{
“Effect”:”Allow”,
“Action”:[“EC2:*”,”S3:*”],
“Resource”:”*”
}
]
}
Blacklist example
The following SCP allows access to all AWS service actions except the S3 action, PutObject. All principals (account root, IAM user, and IAM role) with appropriate permissions assigned directly to them in an account with this SCP applied can access any action except the S3 PutObject action.
{
“Version”:”2012-10-17”,
“Statement”:[
{
“Effect”:”Allow”,
“Action”: “*:*”,
“Resource”:”*”
},
{
“Effect”:”Deny”,
“Action”:”S3:PutObject”,
“Resource”:”*”
}
]
}
For more examples, see Strategies for Using SCPs.
If I attach an empty SCP to an AWS account, does that mean that I allow all AWS service actions in that AWS account?
Control management
AWS Organizations | Security, Identity & Compliance
No. SCPs behave the same way as IAM policies: an empty IAM policy is equivalent to a default DENY. Attaching an empty SCP to an account is equivalent to attaching a policy that explicitly denies all actions.
Can I specify resources and principals in an SCP?
Control management
AWS Organizations | Security, Identity & Compliance
No. In the current release, you can specify only AWS services and actions in an SCP. You can specify resources and principals by using IAM permission policies within the AWS account. For more details, see Service Control Policy Syntax.
What are the effective permissions if I apply an SCP to my organization and my principals also have IAM policies?
Control management
AWS Organizations | Security, Identity & Compliance
The effective permissions granted to a principal (account root, IAM user, and IAM role) in an AWS account with an SCP applied are the intersection between those allowed by the SCP and the permissions granted to the principal by IAM permission policies. For example, if an IAM user has “Allow”: “ec2:* “ and “Allow”: “sqs:* “, and the SCP attached to the account has “Allow”: “ec2:* “ and “Allow”: “s3:* “, the resultant permission for the IAM user is “Allow”: “ec2:* “ The principal cannot perform any Amazon SQS (not allowed by the SCP) or S3 actions (not granted by the IAM policy).
Can I simulate the effect of an SCP on an AWS account?
Control management
AWS Organizations | Security, Identity & Compliance
Yes, the IAM policy simulator can include the effects of SCPs. You can use the policy simulator in a member account in your organization to understand the effect on individual principals in that account. An administrator in a member account with the appropriate AWS Organizations permissions can see if an SCP is affecting the access for the principals (account root, IAM user, and IAM role) in your member account.
For more information, see Service Control Policies.
