SCP Best Practices
🔹
🔹
🔹 https://aws.amazon.com/blogs/mt/codify-your-best-practices-using-service-control-policies-part-1/
🔸
🔸 https://aws.amazon.com/blogs/mt/best-practices-for-organizational-units-with-aws-organizations/
▪️
▪️
▪️
▪️
▪️
▪️
▪️
▪️
▪️
▪️
▪️
▪️ https://aws.amazon.com/blogs/mt/codify-your-best-practices-using-service-control-policies-part-2/
☮️
#SCP #security #best_practices
🔹
Deny list strategy🔹
Allow list strategy🔹 https://aws.amazon.com/blogs/mt/codify-your-best-practices-using-service-control-policies-part-1/
🔸
Organizational Units🔸 https://aws.amazon.com/blogs/mt/best-practices-for-organizational-units-with-aws-organizations/
▪️
Deny Changes to CloudWatch monitors▪️
Deny Changes to CloudWatch Logs▪️
Deny Changes to Config▪️
Deny accounts from leaving the organization▪️
Deny all actions▪️
Deny access to IAM with role exception▪️
Deny actions outside approved regions▪️
Deny ability to pass IAM roles▪️
Deny changes to GuardDuty▪️
Deny changes to AWS Budget Actions▪️
Limit changes to Cost Anomaly Detection, except when using a specific IAM Role▪️ https://aws.amazon.com/blogs/mt/codify-your-best-practices-using-service-control-policies-part-2/
☮️
#SCP #security #best_practices
👍6👎1