Sad Panda - There is no Cloudformation support for Organizations & Service Control Policies, so all of this must be done by hand.
Service Control Policies (aka SCPs) are similar to IAM policies but are applied by a parent AWS Account to a child AWS account via AWS Organizations. They can white or blacklist services so not even the Root Account or a full IAM Administrator in the account can call the specified API actions.
With regard to Root, AWS Documentation States:
No matter what SCPs are attached, the root user in an account can always do the following:
* Changing the root user's password
* Creating, updating, or deleting root access keys
* Enabling or disabling multi-factor authentication on the root user
* Creating, updating, or deleting x.509 keys for the root user
This is the basic Security Controls SCP you want to apply to all accounts (including the payer). It does the following:
- Denies the deletion, update or stopping of CloudTrail
- Denies the modification of the account contacts & settings via the Billing Portal and My Account Page
- Denies the account from leaving the organization
Additional things that would be important are:
- Limiting the ability to turn off guard-duty
- Disable Consumer Features (ie Alexa for Business, WorkMail, etc)
- Disable use of regions (if possible)
- Disable the use of Managed AWS Policies
There is an open question as to whether or not SCPs can support IAM Conditional Context Keys
You must first run the enable_scp.sh script to enable the usage of SCPs in your organization.
To deploy all the SCPs in the Policies directory, run:
./deploy_scp.sh
To attach the Security Controls SCP to all AWS accounts, run:
./apply_scp.sh
you didn't run enable_scp.sh if you get the error: An error occurred (PolicyTypeNotEnabledException) when calling the AttachPolicy operation: This operation can be performed only for enabled policy types.
To run the scripts, you need the following:
- jq
- awscli
- credentials in the ~/.aws/credentials file or environment variables