AWS SPC Examples
Prevent disabling of security services
Once you have established a security baseline for your AWS account, it is crucial to ensure that the configuration remains secure and cannot be altered by unauthorized users.
- Statement
DenyCloudtrail: Deny any actions that could disrupt CloudTrail logs to ensure audit trails are preserved. - Statement
DenyConfig: Deny any actions that could disrupt AWS Config. - Statement
DenyGuardDutyDeny: any actions that could disrupt GuardDuty. - Statement
DenySecurityHub: Deny any actions that could disrupt Security Hub. - Statement
DenyAccessAnalyzer: Deny any actions that could disrupt Access Analyzer. - Statement
DenyMacie: Deny any actions that could disrupt Macie. - Statement
DenyEventBridge: Deny any actions that could disrupt EventBridge rules that generate important alerts.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyCloudtrail",
"Effect": "Deny",
"Action": [
"cloudtrail:DeleteTrail",
"cloudtrail:PutEventSelectors",
"cloudtrail:StopLogging",
"cloudtrail:UpdateTrail",
"cloudtrail:CreateTrail"
],
"Resource": "*"
},
{
"Sid": "DenyConfig",
"Effect": "Deny",
"Action": [
"config:DeleteAggregationAuthorization",
"config:DeleteConfigurationRecorder",
"config:DeleteDeliveryChannel",
"config:DeleteRetentionConfiguration",
"config:PutConfigurationRecorder",
"config:PutDeliveryChannel",
"config:PutRetentionConfiguration",
"config:StopConfigurationRecorder",
"config:PutConfigRule",
"config:DeleteConfigRule",
"config:DeleteEvaluationResults",
"config:DeleteConfigurationAggregator",
"config:PutConfigurationAggregator"
],
"Resource": "*"
},
{
"Sid": "DenyGuardDuty",
"Effect": "Deny",
"Action": [
"guardduty:AcceptInvitation",
"guardduty:ArchiveFindings",
"guardduty:CreateDetector",
"guardduty:CreateFilter",
"guardduty:CreateIPSet",
"guardduty:CreateMembers",
"guardduty:CreatePublishingDestination",
"guardduty:CreateSampleFindings",
"guardduty:CreateThreatIntelSet",
"guardduty:DeclineInvitations",
"guardduty:DeleteDetector",
"guardduty:DeleteFilter",
"guardduty:DeleteInvitations",
"guardduty:DeleteIPSet",
"guardduty:DeleteMembers",
"guardduty:DeletePublishingDestination",
"guardduty:DeleteThreatIntelSet",
"guardduty:DisassociateFromMasterAccount",
"guardduty:DisassociateMembers",
"guardduty:InviteMembers",
"guardduty:StartMonitoringMembers",
"guardduty:StopMonitoringMembers",
"guardduty:TagResource",
"guardduty:UnarchiveFindings",
"guardduty:UntagResource",
"guardduty:UpdateDetector",
"guardduty:UpdateFilter",
"guardduty:UpdateFindingsFeedback",
"guardduty:UpdateIPSet",
"guardduty:UpdatePublishingDestination",
"guardduty:UpdateThreatIntelSet"
],
"Resource": "*"
},
{
"Sid": "DenySecurityHub",
"Effect": "Deny",
"Action": [
"securityhub:DeleteInvitations",
"securityhub:DisableSecurityHub",
"securityhub:DisassociateFromMasterAccount",
"securityhub:DeleteMembers",
"securityhub:DisassociateMembers"
],
"Resource": "*"
},
{
"Sid": "DenyAccessAnalyzer",
"Effect": "Deny",
"Action": [
"access-analyzer:DeleteAnalyzer"
],
"Resource": "*"
},
{
"Sid": "DenyMacie",
"Effect": "Deny",
"Action": [
"macie2:DisassociateFromMasterAccount",
"macie2:DisableOrganizationAdminAccount",
"macie2:DisableMacie",
"macie2:DeleteMember"
],
"Resource": "*"
},
{
"Sid": "DenyEventBridge",
"Effect": "Deny",
"Action": [
"events:DeleteRule",
"events:DisableRule",
"events:RemoveTargets"
],
"Resource": "arn:aws:events:*:*:rule/default/IMPORTANT-RULE"
}
]
}
Prevent member accounts from leaving the organizations
The following policy blocks member accounts leave your organization where they would no longer be restricted by your SCP.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyLeaveOrganization",
"Effect": "Deny",
"Action": "organizations:LeaveOrganization",
"Resource": "*"
}
]
}
Deny sharing of resources outside the organization
The following example SCP prevents users from sharing resources that are not part of the organization with AWS Resource Access Manager (RAM).
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"ram:CreateResourceShare",
"ram:UpdateResourceShare"
],
"Resource": "*",
"Condition": {
"Bool": {
"ram:RequestedAllowsExternalPrincipals": "true"
}
}
},
{
"Effect": "Deny",
"Action": [
"ram:AcceptResourceShareInvitation",
"ram:AssociateResourceShare",
"ram:CreateResourceShare",
"ram:DeleteResourceShare",
"ram:DisassociateResourceShare",
"ram:RejectResourceShareInvitation",
"ram:TagResource",
"ram:UntagResource",
"ram:UpdateResourceShare",
"ram:EnableSharingWithAwsOrganization"
],
"Resource": "*",
"Condition": {
"StringNotEquals": {
"aws:PrincipalOrgID": "o-1234567890"
}
}
}
]
}
Require IMDSv2 enabled to launch EC2 instances
The following policy restricts all users from launching EC2 instances without IMDSv2 but allows specific IAM identities to modify instance metadata options.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:*:*:instance/*",
"Condition": {
"StringNotEquals": {
"ec2:MetadataHttpTokens": "required"
}
}
},
{
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:*:*:instance/*",
"Condition": {
"NumericGreaterThan": {
"ec2:MetadataHttpPutResponseHopLimit": "3"
}
}
},
{
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"NumericLessThan": {
"ec2:RoleDelivery": "2.0"
}
}
},
{
"Effect": "Deny",
"Action": "ec2:ModifyInstanceMetadataOptions",
"Resource": "*",
"Condition": {
"StringNotLike": {
"aws:PrincipalARN": [
"arn:aws:iam::{ACCOUNT_ID}:{RESOURCE_TYPE}/{RESOURCE_NAME}"
]
}
}
}
]
}
Block root user access
The root user has privileged access by default, this policy blocks access for this user in the AWS account.
Benefits:
- The difficulty of understanding what person was involved in an action if they authenticate with the root user.
- It mitigates the concerns on AWS around password recovery such account take-over risk that can happen with Root users.
- There isn’t a need to set up a multi-factor device for the user.
{
"Version": "2012-10-17",
"Statement": {
"Sid": "DenyRootUser",
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"StringLike": {
"aws:PrincipalArn": "arn:aws:iam::*:root"
}
}
}
}
Deny contact information changes
The following policy prevents the risk of account takeover by preventing contact information from being changed by any user.
One way to resolve access issues to your AWS account and receive critical security alerts is through contact information.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "DenyChangingContactInfo",
"Effect": "Deny",
"Action": [
"account:PutAlternateContact",
"account:PuContactInformation"
],
"Resource": [
"*"
]
}
]
}
Deny access to unused regions
This policy denies access to any operations outside of the specified regions. This way you ensure that no resources will be provisioned in another region and you won't need to worry about applying security controls.
In this exemples lets supposed that my organizations have workloads only in the us-west-1 and sa-east-1 regions, so this policy uses the Deny effect to deny access to all requests for operations that don't target one of the two approved regions.
The NotAction element enables you to list services whose operations (or individual operations) are exempted from this restriction. Because global services have endpoints that are physically hosted by the us-east-1 region , they must be exempted in this way. With an SCP structured this way, requests made to global services in the us-east-1 region are allowed if the requested service is included in the NotAction element. Any other requests to services in the us-east-1 region are denied by this example policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyAllUnapprovedRegions",
"Effect": "Deny",
"NotAction": [
"a4b:*",
"acm:*",
"aws-marketplace-management:*",
"aws-marketplace:*",
"aws-portal:*",
"budgets:*",
"ce:*",
"chime:*",
"cloudfront:*",
"config:*",
"cur:*",
"directconnect:*",
"ec2:DescribeRegions",
"ec2:DescribeTransitGateways",
"ec2:DescribeVpnGateways",
"fms:*",
"globalaccelerator:*",
"health:*",
"iam:*",
"importexport:*",
"kms:*",
"mobileanalytics:*",
"networkmanager:*",
"organizations:*",
"pricing:*",
"route53:*",
"route53domains:*",
"route53-recovery-cluster:*",
"route53-recovery-control-config:*",
"route53-recovery-readiness:*",
"s3:GetAccountPublic*",
"s3:ListAllMyBuckets",
"s3:ListMultiRegionAccessPoints",
"s3:PutAccountPublic*",
"shield:*",
"sts:*",
"support:*",
"trustedadvisor:*",
"waf-regional:*",
"waf:*",
"wafv2:*",
"wellarchitected:*"
],
"Resource": "*",
"Condition": {
"StringNotEquals": {
"aws:RequestedRegion": [
"us-west-1",
"sa-east-1"
]
},
"ArnNotLike": {
"aws:PrincipalARN": [
"arn:aws:iam::*:role/Role1AllowedToBypassThisSCP",
"arn:aws:iam::*:role/Role2AllowedToBypassThisSCP"
]
}
}
}
]
}
Reference: AWS Official Documentation
Prevent region enable and disable actions
This policy prevents unauthorized or accidental changes to the region settings, which could impact the availability and configuration of services across the account. The policy ensures that only specific, highly privileged roles can enable or disable AWS regions.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PreventAccountRegionUpdate",
"Effect": "Deny",
"Action": [
"account:EnableRegion",
"account:DisableRegion"
],
"Resource": [
"*"
],
"Condition": {
"StringNotLike": {
"aws:PrincipalArn": [
"arn:aws:iam::*:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_AdministratorAccess*",
"arn:aws:iam::*:role/OrganizationAccountAccessRole"
]
}
}
}
]
}
Deny critical IAM actions
The following policy blocks access key creation for the root user and restricts access to other critical IAM actions.
- Statement
DenyCreateRootUserAccessKey: Deny creation of access keys for the root user. - Statement
DenyCreateAccessKey: Deny creation of any access keys except security roles. - Statement
DenyPasswordPolicyUpdate: Deny update IAM password policy except security roles.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyCreateRootUserAccessKey",
"Effect": "Deny",
"Action": "iam:CreateAccessKey",
"Resource": "*",
"Condition": {
"StringLike": {
"aws:PrincipalArn": [
"arn:aws:iam::*:root"
]
}
}
},
{
"Sid": "DenyCreateAccessKey",
"Effect": "Deny",
"Action": [
"iam:CreateUser",
"iam:CreateAccessKey"
],
"Resource": [
"*"
],
"Condition": {
"StringNotEquals": {
"aws:PrincipalARN": [
"arn:aws:iam::*:role/AUDIT-ROLE-NAME"
]
}
}
},
{
"Sid": "DenyPasswordPolicyUpdate",
"Effect": "Deny",
"Action": [
"iam:DeleteAccountPasswordPolicy",
"iam:UpdateAccountPasswordPolicy"
],
"Resource": [
"*"
],
"Condition": {
"StringNotEquals": {
"aws:PrincipalARN": [
"arn:aws:iam::*:role/AUDIT-ROLE-NAME"
]
}
}
}
]
}
Restrict update of critical IAM roles
This policy restricts IAM users and roles from making changes to the specified IAM role that can be used to deny modifications of an incident response or other security auditing role.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyCriticalRoleModification",
"Effect": "Deny",
"Action": [
"iam:AttachRolePolicy",
"iam:DeleteRole",
"iam:DeleteRolePermissionsBoundary",
"iam:DeleteRolePolicy",
"iam:DetachRolePolicy",
"iam:PutRolePermissionsBoundary",
"iam:PutRolePolicy",
"iam:UpdateAssumeRolePolicy",
"iam:UpdateRole",
"iam:UpdateRoleDescription"
],
"Resource": [
"arn:aws:iam::*:role/AUDIT-ROLE-NAME",
"arn:aws:iam::*:role/OrganizationAccountAccessRole",
"arn:aws:iam::*:role/stacksets-exec-*",
"arn:aws:iam::*:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO*"
]
}
]
}
Protect default security settings across services
The following policy prevent some important security settings services from being disable. None of these features are enabled by default and should be enabled as part of your initial account baseline.
- Statement
ProtectS3PublicAccess: Prevent disabling block of S3 buckets from being made public. - Statement
ProtectEBSEncryption: Prevent disabling of default Amazon EBS encryption.