Applying Service Control Policies (SCPs) for Permission Boundaries
Introduction
In this solution, we will demonstrate how to apply Service Control Policies (SCPs) for permission boundaries using Pulumi in TypeScript. Service Control Policies (SCPs) are a type of organization policy that you can use to manage permissions in your AWS environment. SCPs offer central control over the maximum available permissions for all accounts in your organization. By using Pulumi, we can define and manage these policies as code, ensuring consistency and ease of management.
The key services involved in this solution are AWS Organizations and AWS Identity and Access Management (IAM). AWS Organizations allows you to centrally manage and govern your environment as you grow and scale your AWS resources. IAM is used to manage access to AWS services and resources securely.
Step-by-Step Explanation
Step 1: Set Up Pulumi Project
First, we need to set up a new Pulumi project. If you haven’t already, install the Pulumi CLI and create a new TypeScript project:
pulumi new typescript
Step 2: Install AWS Pulumi Package
Next, install the Pulumi AWS package, which contains the necessary resources for managing AWS services:
npm install @pulumi/aws
Step 3: Define AWS Provider
In your Pulumi program, define the AWS provider to specify the region and credentials to use:
import * as aws from "@pulumi/aws";
const provider = new aws.Provider("aws", {
region: "us-west-2",
});
Step 4: Create an AWS Organization
Create a new AWS Organization if you don’t already have one. This organization will be used to manage SCPs:
const org = new aws.organizations.Organization("org", {
featureSet: "ALL",
}, { provider });
Step 5: Define Service Control Policies (SCPs)
Define the SCPs that you want to apply to your organization. SCPs are JSON policy documents that specify the permissions to allow or deny:
const scp = new aws.organizations.Policy("scp", {
content: JSON.stringify({
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "s3:*",
"Resource": "*"
}
]
}),
description: "Deny all S3 actions",
name: "DenyS3",
type: "SERVICE_CONTROL_POLICY",
}, { provider });
Step 6: Attach SCP to Organizational Unit (OU)
Attach the SCP to an Organizational Unit (OU) or account within your organization:
const ou = new aws.organizations.OrganizationalUnit("ou", {
name: "Engineering",
parentId: org.roots[0].id,
}, { provider });
const attachment = new aws.organizations.PolicyAttachment("attachment", {
policyId: scp.id,
targetId: ou.id,
}, { provider });
Key Points
- Service Control Policies (SCPs): SCPs are used to set permission boundaries for AWS accounts within an organization.
- AWS Organizations: A service that helps you centrally manage and govern your AWS environment.
- IAM Policies: Used to manage access to AWS services and resources securely.
- Pulumi: An infrastructure as code tool that allows you to define and manage cloud resources using programming languages.
Conclusion
By following this guide, you have successfully applied Service Control Policies (SCPs) for permission boundaries using Pulumi in TypeScript. This approach allows you to manage your AWS environment more effectively by defining policies as code, ensuring consistency and ease of management. Pulumi’s infrastructure as code capabilities make it easier to automate and scale your cloud infrastructure management.
Full Code Example
import * as aws from "@pulumi/aws";
const provider = new aws.Provider("aws", {
region: "us-west-2",
});
const org = new aws.organizations.Organization("org", {
featureSet: "ALL",
}, { provider });
const scp = new aws.organizations.Policy("scp", {
content: JSON.stringify({
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "s3:*",
"Resource": "*"
}
]
}),
description: "Deny all S3 actions",
name: "DenyS3",
type: "SERVICE_CONTROL_POLICY",
}, { provider });
const ou = new aws.organizations.OrganizationalUnit("ou", {
name: "Engineering",
parentId: org.roots[0].id,
}, { provider });
const attachment = new aws.organizations.PolicyAttachment("attachment", {
policyId: scp.id,
targetId: ou.id,
}, { provider });
export const organization = org;
export const serviceControlPolicy = scp;
export const organizationalUnit = ou;
export const policyAttachment = attachment;
Deploy this code
Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.
Sign upNew to Pulumi?
Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.
Sign upThank you for your feedback!
If you have a question about how to use Pulumi, reach out in Community Slack.
Open an issue on GitHub to report a problem or suggest an improvement.