Service Control Policies Are Not Adequately Used Within AWS Organizations

Overview

Service Control Policies (SCPs) are essential for centrally managing permissions across all accounts in your organization, acting as guardrails that limit the actions administrators can delegate to IAM users and roles. The absence (or inadequate use) of SCPs could result in excessive permissions being granted and represents a potential security issue.

This check ensures at least one service control policy is attached to a organizational root and that two other service control policies are attached to non-root OUs.

Vendor

AWS

Cloud Service

Account

CSMM v1 ORM-04.2

References

https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html, https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_evaluation.html

Severity

Item Types

Custom::AWS::Account

Overview​

Vendor​

Cloud Service​

Related Controls​

References​

Severity​

Item Types​