Introducing Resource Control Policies In AWS Organizations

AWS Organizations are introducing resource control policies (RCPs), a new kind of authorization policy.

Resource control policies (RCPs)

One kind of organizational policy that you may use to govern access within your company is resource control policies (RCPs). RCPs give you central authority over the highest level of permissions that your organization’s resources can have. RCPs assist you in making sure the resources in your accounts adhere to the access control policies of your company. Only in an organization with all functionalities enabled are RCPs accessible. If your company has merely activated the consolidated billing functionality, RCPs are not accessible.

Resource control policies are not enough on their own to provide your organization’s resources permissions. An RCP does not issue permissions. An RCP establishes restrictions, or a permissions guardrail, on what an identity may do with resources within your company. To truly provide permissions, the administrator still needs to apply resource-based policies to the resources in your accounts or identity-based policies to IAM users or roles.

What is permitted by identity-based and resource-based policies and what is permitted by resource control policies and service control policies (SCPs) logically intersect to form effective permissions.

The resources of the following AWS services are covered by RCPs:

• Amazon S3
• AWS Security Token Service
• AWS Key Management Service
• Amazon SQS
• AWS Secrets Manager

Evaluating RCPs’ effects

AWS strongly advises against attaching RCPs to your organization’s root without fully evaluating how the policy affects the resources in your accounts. Attaching resource control policies to individual test accounts is a good place to start. You may then move them up to OUs lower in the hierarchy and, if necessary, work your way up through the organization level. Examining AWS CloudTrail logs for Access Denied problems is one method of assessing impact.

Maximum RCP size

Your RCP’s characters all contribute to its maximum size. This guide’s examples demonstrate how to format resource control policies with additional white space to make them easier to read. However, you can remove any white space, including space characters and line breaks outside of quote marks, to conserve space if your insurance size is getting close to the maximum size.

Attaching RCPs to various organizational levels

RCPs can be directly attached to the organization root, OUs, or individual accounts.

RCP’s impact on permissions

One kind of AWS Identity and Access Management (IAM) policy is called an RCP. Resource-based policies are the ones with which they are most closely associated. But permissions are never granted by an RCP. Rather, RCPs are access controls that outline the highest level of authorization that can be granted to resources within your company. Refer to the IAM User Guide’s Policy evaluation logic for further details.

• Resources for a subset of AWS services are covered by RCPs.
• Only resources handled by accounts affiliated with the organization to which the RCPs have been assigned are impacted. Resources from accounts outside the company are unaffected. Take, for instance, an Amazon S3 bucket that belongs to Account A within a company. Users from Account B outside the company are granted access under the bucket policy, which is a resource-based policy. An RCP is assigned to Account A. Even when users access the S3 bucket in Account A from Account B, that RCP is still in effect. However, when users in Account A access resources in Account B, that RCP is not applicable.
• Permissions for resources in member accounts are limited by an RCP. Only the permissions granted by each parent above it are available to any resource in an account. Even if the resource owner attaches a resource-based policy that grants any user full access, a resource in the impacted account does not have that permission if it is blocked at any level above the account.
• The resources that are approved as part of an operation request are covered by RCPs. The “Resource type” column in the Action table in the Service Authorization Reference contains these resources. The resource control policies of the caller main account are used if the “Resource type” field contains no resources. For instance, the object resource is authorized by s3:GetObject. Every time a GetObject request is made, the requesting principal’s ability to invoke the GetObject operation is assessed using the relevant RCP. An RCP that has been linked to an account, an organizational unit (OU), or the root of the company that controls the resource being accessed is said to be applicable.
• Only the resources in the organization’s member accounts are impacted by RCPs. The management account’s resources are unaffected by them. Nevertheless, this also applies to member accounts that have been assigned administrators.
• The RCP is incorporated into the policy evaluation logic to decide whether to grant or deny a principal access to a resource within an account that has an attached RCP (a resource with an applicable RCP).
• Regardless of whether the principals are affiliated with the same organizations or not, RCPs affect the effective permissions of principals attempting to access resources in a member account with an appropriate RCP. Root users are included in this. Because RCPs do not apply to calls made by service-linked roles, the exception is when the principals are service-linked roles. RCPs cannot limit service-linked responsibilities, which allow AWS services to carry out essential tasks on your behalf.
• Permissions must still be granted to users and roles using the proper IAM permission policies, such as resource-based and identity-based policies. Even if an applicable RCP permits all services, all actions, and all resources, a user or role lacking any IAM permission policies is not granted access.

Resources and entities that are not subject to RCP restrictions

Resource control policies cannot be used to limit the following:

• Any modification to the management account’s resources.
• No service-linked role’s effective permissions are impacted by RCPs. One special kind of IAM role is a service-linked role, which is directly connected to an AWS service and has all the permissions the service needs to make calls to other AWS services on your behalf. RCPs cannot limit the permissions of service-linked roles. Additionally, resource control policies have no effect on AWS services’ capacity to take on a service-linked role; in other words, they have no effect on the trust policy of the service-linked role.
• AWS managed keys for AWS Key Management Service are exempt from RCPs. An AWS service creates, maintains, and uses AWS managed keys on your behalf. Their permissions cannot be altered or managed by you.
• Permissions that are not affected by RCPs include: