Introduction to AWS Resource Control Policies
In an exciting development for cloud security and management, Amazon Web Services (AWS) has introduced a new feature called Resource Control Policies (RCPs). These policies are designed to enhance the way organizations manage permissions and control access to resources across their AWS environments. With RCPs, AWS users can now set the maximum permissions available to resources within their entire organization, offering a robust mechanism for maintaining security and compliance.
Understanding Resource Control Policies
RCPs are a type of authorization policy managed within AWS Organizations. They serve as preventative controls that help establish a "data perimeter," effectively restricting external access to resources at scale. The policies are enforced centrally, providing central governance and security teams with the confidence that access to resources within AWS accounts aligns with their organization’s access control guidelines.
How RCPs Differ from Service Control Policies
While both RCPs and Service Control Policies (SCPs) serve to limit permissions, they operate differently. SCPs are used to limit permissions granted to principals, such as AWS Identity and Access Management (IAM) roles, within an organization. They help restrict access to AWS services, specific resources, and define under what conditions principals can make requests across multiple AWS accounts.
RCPs, on the other hand, focus on limiting permissions granted to resources. By implementing RCPs centrally within AWS Organizations, consistent access controls can be enforced across multiple AWS accounts. For instance, RCPs can restrict access to S3 buckets, ensuring they are only accessible by principals within the organization.
It’s important to note that neither SCPs nor RCPs grant permissions by themselves. They only set the maximum permissions available, and appropriate IAM policies are still required to grant permissions.
Supported Services and Availability
RCPs are available in all commercial AWS Regions and support several key AWS services at launch, including:
- Amazon Simple Storage Service (Amazon S3)
- AWS Security Token Service (AWS STS)
- AWS Key Management Service (AWS KMS)
- Amazon Simple Queue Service (Amazon SQS)
- AWS Secrets Manager
Notably, there are no additional charges for enabling and using RCPs.
Getting Started with Resource Control Policies
To start using RCPs, users must first enable them using the AWS Organizations console, the AWS SDK, or the AWS Command Line Interface (CLI). It’s crucial that the Organizations management account or a delegated administrator performs this action, as they are the only accounts that can enable or disable policy types.
Before enabling RCPs, ensure that AWS Organizations is set to "all features." If it’s in "Consolidated billing features" mode, migration to "all features" is necessary. Once enabled, users will find an AWS-managed policy called RCPFullAWSAccess, which is automatically created and attached to every entity in the organization.
Creating and Applying RCPs
Creating an RCP involves authoring a policy that restricts access as per organizational requirements. For example, an RCP can be created to ensure that only principals within the organization can access S3 buckets. The process begins by navigating to the "Resource control policies" page, selecting "Create policy," and then authoring the policy.
The policy syntax includes several key elements:
- Version: Indicates the version of the policy language being used.
- Statement: Contains one or more statements that define permissions.
- Effect: Specifies whether the policy allows or denies access.
- Principal: Identifies the entity to which the policy applies.
- Action: Specifies the actions that the policy allows or denies.
- Resource: Identifies the resources to which the policy applies.
- Condition: Sets conditions under which the policy applies.
For instance, a sample policy might deny access to S3 buckets for external principals, unless requests originate from within the organization or from an AWS service.
Attaching RCPs
Once created, RCPs can be attached to the root of the organization, organizational units (OUs), or specific AWS accounts. After attachment, access requests must comply with the RCP restrictions. It’s advisable to test RCPs on individual test accounts or OUs before deploying them at scale.
Seeing RCPs in Action
In practice, once an RCP is attached, any attempt by external identities to access restricted resources will be denied. This ensures that even if a resource-based policy is overly permissive, the RCP will enforce the necessary restrictions during the authorization process.
Scaling RCP Deployment
For large-scale environments, managing RCPs as infrastructure as code and integrating them into existing CI/CD pipelines is recommended. AWS Control Tower can be used to deploy RCP-based controls, ensuring consistent application across managed accounts. Control Tower also supports drift detection for RCPs, notifying users if an RCP is modified or removed outside of Control Tower.
Conclusion
Resource Control Policies provide AWS users with centralized management over the maximum permissions available to resources in their organizations. Alongside SCPs, RCPs help establish a data perimeter, preventing unintended access and ensuring compliance with security guidelines. By using RCPs, organizations can achieve a robust security posture, tailored to their specific needs.
For more details, refer to the AWS Organizations User Guide on Resource Control Policies.
For more Information, Refer to this article.