Listen to this Post
Using AWS Organizations to manage accounts in your company or team is a best practice. Service Control Policies (SCPs) have long been used to manage IAM permissions, and now Resource Control Policies (RCPs) provide additional security by protecting resources like S3 buckets, KMS keys, and SQS queues.
You Should Know:
Key AWS Organizations Commands
1. Create an Organization
aws organizations create-organization --feature-set ALL
2. List Accounts in an Organization
aws organizations list-accounts
3. Enable Service Control Policies (SCPs)
aws organizations enable-policy-type --root-id r-XXXX --policy-type SERVICE_CONTROL_POLICY
Implementing RCPs for Security
4. Attach an RCP to an OU
aws organizations attach-policy --policy-id p-XXXX --target-id ou-XXXX
5. Example RCP to Restrict S3 Bucket Deletion
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "s3:DeleteBucket",
"Resource": "*"
}
]
}
6. Apply KMS Key Protection
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "kms:DeleteKey",
"Resource": "<em>",
"Condition": {
"StringNotLike": {
"aws:PrincipalArn": "arn:aws:iam::</em>:role/Admin"
}
}
}
]
}
Monitoring and Enforcement
7. Check Policy Violations
aws accessanalyzer list-findings --analyzer-arn arn:aws:accessanalyzer:region:account-id:analyzer/analyzer-id
8. Automate Compliance Checks
aws configservice put-config-rule --config-rule file://rcp-compliance-rule.json
What Undercode Say
AWS Organizations, SCPs, and RCPs are essential for enforcing security guardrails in multi-account environments. By restricting destructive actions (like deleting S3 buckets or KMS keys), organizations can prevent accidental or malicious resource loss. Combining RCPs with AWS Config and Access Analyzer ensures continuous compliance monitoring.
Additional Useful Commands
9. List All Policies in AWS Organizations
aws organizations list-policies --filter SERVICE_CONTROL_POLICY
10. Detach a Policy from an OU
aws organizations detach-policy --policy-id p-XXXX --target-id ou-XXXX
11. Enable AWS Config for All Regions
aws configservice subscribe --s3-bucket your-config-bucket --sns-topic arn:aws:sns:region:account-id:topic-name --all-regions
12. Audit SCPs with AWS CLI
aws organizations describe-policy --policy-id p-XXXX
13. Restrict EC2 Instance Types
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": "*",
"Condition": {
"StringNotEquals": {
"ec2:InstanceType": ["t3.micro", "t3.small"]
}
}
}
]
}
14. Enforce MFA for Sensitive Actions
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "<em>",
"Resource": "</em>",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
]
}
15. Block Public S3 Buckets
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "s3:PutBucketPublicAccessBlock",
"Resource": "*",
"Condition": {
"StringNotEquals": {
"s3:PublicAccessBlock": "true"
}
}
}
]
}
Expected Output:
For further reading, refer to the original AWS article:
Effectively implementing resource control policies in a multi-account environment | Amazon Web Services
References:
Reported By: Darryl Ruggles – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
