Service Control Policies – AWS Security Fundamentals – SCS-C02 Study Guide

Service Control Policies

AWS gives you a tool in the IAM space to manage the permissions of that organization along with any child OUs when grouping your accounts into organizations and OUs. That tool is Service Control Policies or SCPs. SCPs allow you to provide a baseline of governance across the accounts they are applied to so that the rules are enforced at the organizational level regardless of the permissions set at the account, individual group, or role level.

The following are some points to note about SCPs:

  • Once attached, SCPs are invisible to all roles in a child account. This includes the root account for that child account.
  • The policies in the SCP are applied to all child account users, including the root account for that child account.
  • The policies in the SCP are applied to all roles of the child account.

Using SCPs alone is insufficient to grant permissions to the accounts in your organization. Combining an organization’s SCPs, the permissions boundaries are set, and the identity-based policy provides effective user, group, or role permissions.

Note

This book will go into much further detail about the verbiage of SCPs in Chapter 14, Working with Access Policies.

Security Considerations for AWS Organizations

The following list describes some of the specific security considerations and best practices when using AWS Organizations:

  • Suppose you want to implement an SCP at the root level account/master billing account or any high-level OU. In that case, it is recommended that you test the effects of the SCP before implementing it so that your users and service roles don’t run into unforeseen circumstances.
  • SCPs are optimal for preventing users and roles from disabling security tools such as AWS CloudTrail, AWS Config, and Amazon GuardDuty.

SCPs can be used to prevent privilege escalation. To do this, you would deny any IAM administrative action and add a condition where the role was not like your account manager role name using the ArnNotLike key.

Now that you have a grasp of account management using tools like AWS Organizations and SCPs, you can move on to compute services in AWS.

Cloud Compute in AWS

Compute in AWS refers to many services, such as Amazon EC2, Elastic Load Balancing (ELB), AWS Lambda, AWS Batch, Elastic Container Service (ECS), and Elastic Kubernetes Service (EKS), along with AWS Fargate. The Fargate managed service allows you to run your containers with minimal overhead. AWS Compute even includes Lightsail, one of the quickest ways for customers to get their cloud up and running without needing to configure software or networking.

Figure 2.3: Compute services in AWS

You can see, as is shown in Figure 2.3, the myriad of services that fall under the classification of compute services in Amazon Web Services. These include not only the virtual instances of the Elastic Compute Cloud (EC2) service but also Lambda, which is a function-as-a-service offering, and even Elastic Load Balancing, the service that helps spread requests to multiple instances.

Although there are quite a few services that fall under the compute umbrella in AWS, the most foundational service is EC2. This is your virtualized instance in the Amazon cloud. While other services, such as Elastic Container Service, Elastic Kubernetes Service, and even Elastic Beanstalk can allow you to run containers in AWS, they run on EC2 instances at their core. Therefore, knowing the foundational elements of the EC2 service, such as how to select the correct instance type, how to use the optimal load balancer, and how to add volumes to an instance, is crucial both for processing questions for the Security Specialty exam and in your day-to-day duties as a professional.