Only One Acct Has Read Only Mode

março 09, 2022 Postar um comentário

Customers who manage multiple AWS accounts in AWS Organizations tin employ service control policies (SCPs) to centrally manage permissions in their environs. SCPs tin be applied to an arrangement unit (OU), account, or entire organization to restrict the maximum permissions that can be applied in the scoped AWS accounts.

In this post, nosotros are going to explore the use of SCPs to restrict an AWS business relationship to read-only admission. This can exist useful in a number of scenarios, including:

To quarantine an business relationship before conducting a security review.
To avoid the creation of new resource when an business relationship is staged for deletion.
To lock down a product business relationship to prevent accidental or unscheduled changes.

Another use case for a read-only SCP is on a suspended OU that contains AWS accounts that have been closed and are waiting to exist deleted from an system. A suspended OU forms office of the AWS Organizations all-time practices described in the Getting Started Guide. Using SCPs allows an administrator to easily enable or disable a policy without making any changes to AWS Identity and Access Management (IAM) permissions at the AWS account level.

Prerequisites

To follow along with the steps in this blog mail, you will need the following:

An organization in AWS Organizations. For more information, see Creating an organization – AWS Organizations.
Multiple AWS accounts registered in the organisation to test the policy.
Access to the management or root business relationship in the organization to create the SCP.

In our case, nosotros refer to AWS Single Sign-On (AWS SSO) equally a provisional statement in the policy. AWS SSO is used to centrally manage user access to multiple AWS accounts in ane place once it is gear up up in the organization. Still, AWS SSO is not required to create SCPs.

Of import: SCPs can potentially block access to all IAM users and service roles, including the root user. If SCPs are used incorrectly, they can impact your production workloads. We recommend testing SCPs in non-production environments before enabling them in production.

SCP evaluation

Before we dive into the example, let's learn more than about SCPs in the context of IAM. SCPs are similar to IAM permission policies and use a common syntax. The difference being, an SCP never grants permissions. Instead, SCPs are JSON policies that specify the maximum permissions for the affected accounts.

Whatever account has only those permissions granted by every parent above it. If a permission is blocked at whatever level above the account, either implicitly (by not being included in an Allow policy argument) or explicitly (by being included in a Deny policy statement), a user or role in the affected business relationship tin't use that permission, even if the account ambassador attaches the AdministratorAccess IAM policy.

When an SCP is present, identity- and resource-based IAM policies grant permissions to principals in member accounts merely if those policies and the SCP allow the action. For more information, run across the Effects on permissions in the AWS Organizations User Guide and Determining whether a request is allowed or denied within an business relationship in the IAM User Guide.

Policy evaluation flowchart starts with a deny evaluation and ends with identity-based policies. An organization's SCPs are evaluated after a deny evaluation.

Effigy 1: Determining whether a request is immune or denied in an account

Using IAM permissions

Earlier we get to creating a read-only SCP, let's wait at how we would apply IAM policies to fix an business relationship to read-merely. Hither is the default AmazonS3ReadOnlyAccess policy in IAM:

          {     "Version": "2012-ten-17",     "Argument": [         {             "Effect": "Permit",             "Action": [                 "s3:Get*",                 "s3:List*"             ],             "Resource": "*"         }     ] }

This policy provides read-only access to S3 by defining allowed actions, Get and List. The policy implicitly denies other modification or delete actions, such as Put, Create, or Delete. Even so, considering this policy applies to S3 just, you must list the Become, List, and Describe operations of every AWS service in the Activeness section to create a complete read-merely policy.

The built-in AWS managed policy for job functions,arn:aws:iam::aws:policy/job-function/ViewOnlyAccess, can be used to accost this issue. However, there are no explicit deny statements, which means that if yous attached the policy to a primary who already has full administrator access, there would be no consequence, no read-only access. To achieve the desired read-just consequence, you must remove existing permission policies from every IAM user, role, and grouping, which tin exist difficult to manage.

One option is to create an explicit deny policy with a NotAction that can be attached to users, groups, or roles in the event the business relationship requires quarantine. The following JSON policy shows what this might look like:

          {     "Version": "2012-10-17",     "Statement": [         {             "Outcome": "Deny",             "NotAction": [                 "s3:Go*",                 "s3:Listing*"             ],             "Resource": "*"         }     ] }

This policy denies access to all actions except those listed (in this case, the S3 Get and List actions). Here, once again, you must maintain a long list of actions for every service you want to allow access to, which can go difficult to manage. Y'all can likewise quickly hit the managed policy character limit of half-dozen,144.

Read-only SCP

SCPs provide an easy fashion to control the maximum permissions at an AWS account level and then you don't need to modify policies at the IAM level for individual users, groups, or roles. In Figure 2, the policy is applied at the Organizational Unit (OU) level. An OU is a grouping of accounts, and whatsoever business relationship under that OU is in read-only style.

In the organization tree diagram, the AWS management account appears at the top, followed by OUs and child accounts. The read-only SCP is applied to the suspended OU.

Figure 2: OU and account construction case with read-merely SCP applied to a suspended OU

Here is an instance SCP that can be used to deny all actions to all users, except those listed in the conditional statement. You volition notice a condition in the instance related to AWS SSO. Nosotros do this considering AWS SSO is set up in our organisation and already has a read-but permission set associated with assigned users, so the SCP does not need to override the permission already set by SSO.

          {    "Version":"2012-x-17",    "Statement":[       {          "Sid":"DenyWriters",          "Effect":"Deny",          "Activity":"*",          "Resource":[             "*"          ],          "Condition":{             "StringNotLike":{                "aws:PrincipalArn":[                   "arn:aws:iam::*:office/aws-reserved/sso.amazonaws.com/*/AWSReservedSSO_AWSReadOnlyAccess_*"                ]             }          }       }    ] }

Hither is the same example, but this one besides excludes an IAM role. We exclude an IAM role in this policy considering we take production awarding roles and do non want to cake the application'south access. (Call back, SCPs touch all users and roles).

          {    "Version":"2012-10-17",    "Statement":[       {          "Sid":"DenyWriters",          "Effect":"Deny",          "Activity":"*",          "Resource":[             "*"          ],          "Condition":{             "StringNotLike":{                "aws:PrincipalArn":[                   "arn:aws:iam::*:role/aws-reserved/sso.amazonaws.com/*/AWSReservedSSO_AWSReadOnlyAccess_*",                   "arn:aws:iam::123456789012:role/mySampleApplicationRole"                ]             }          }       }    ] }

In our example, we but allow the IAM part associated with the AWSReadOnlyAccess permission set in AWS SSO. Users must select this permission when they sign in to the console. Figure three shows a user with two permission sets for the account named Test-Account-two. The AWSAdministratorAccess permission fix no longer works because it is overridden by the SCP deny statement.

AWS SSO sign-in page displays AWSAdministratorAccess or AWSReadOnlyAccess permissions sets. The AWSReadOnlyAccess option is highlighted.

Figure 3: AWS SSO sign-in folio shows a user with ii dissimilar permission sets to a single AWS business relationship

Users must take multiple permission sets assigned to them so that when the SCP is enabled, they retain access through AWSReadOnlyAccess. It's a good exercise to give administrators a read-only sign-in selection when full admission is not required.

Considerations

Although SCPs give an administrator command over a multi-account environment, with great power comes great responsibleness! Here are some things to consider when using a read-only SCP:

The SCP impacts all IAM principals (users and roles) and might therefore impact your running services. This includes roles for Amazon Elastic Compute Deject (Amazon EC2), AWS Lambda, Amazon Elastic Container Service (Amazon ECS), identity federation, and more. Exist certain to exclude any roles that are disquisitional to your running application in the provisional argument.
All administrator access to the account, including that of the root user, is blocked. Make sure the right people have permission to remove the policy, if required (for example, in the effect of an emergency).
If y'all are applying the SCP to an OU and using AWS Control Tower, you must movement AWS accounts into the OU by updating the AWS Service Catalog item. At the time of this writing, you cannot employ AWS Organizations to move an enrolled business relationship to a different OU straight. However, y'all can use AWS Organizations to apply custom SCPs to your existing OUs created in AWS Control Tower.
Remember a deny permission volition always override an allow, so be aware of the bear on and implications.

Conclusion

In this mail, nosotros described how SCPs are an efficient way to place an AWS account into a read-only state and preclude modification to any resources past any principal. This approach offers a powerful security response tool and an actress layer of protection for disquisitional production workloads without the need to manage multiple individual IAM policies.

To apply SCPs and other advanced governance features, get started with AWS Organizations today!

About the Authors

Amit Lulla Amit is a Senior Solutions Architect at AWS. He is passionate about Software-as-a-Service (SaaS) architectures using serverless, analytics and emerging cloud technologies. He has worked on deject-native development and designing multi-tenant architectures in various industry verticals over a decade, leveraging his feel to assistance ISV and B2B customers.

Thomas Moore Thomas is a Solutions Architect at AWS working with ISVs and B2B organisations inside the Britain and Republic of ireland. At AWS he helps customers with multi-tenant SaaS transformations. He has over ten years' feel in Information technology infrastructure, especially with enterprise organisations across aviation, retail and manufacturing manufacture verticals. He is passionate about automation and working with Serverless engineering.

mayoweact1987.blogspot.com

Source: https://aws.amazon.com/blogs/mt/implement-read-only-service-control-policy-in-aws-organizations/

Mayo Weact1987