Multi-Account Security and Resource Policies on AWS

Multi-Account Security and Resource Policies are essential components for managing complex AWS environments with multiple accounts.

This blog covers AWS Organizations, Control Tower, Service Control Policies (SCPs), and resource-based policies for comprehensive security management.

____

How It Works & Core Attributes:

AWS Organizations:

Organization Fundamentals:

• What AWS Organizations is: A service that helps you centrally manage and govern multiple AWS accounts. It allows you to create a hierarchy of accounts under a single management account, enabling centralized billing, security, and compliance management
• Management Account: The account that creates and manages the organization. This account has full access to all member accounts and can create, invite, and remove accounts from the organization
• Member Accounts: Individual AWS accounts that belong to the organization. These accounts can be created automatically or invited to join the organization. Member accounts inherit policies and settings from the organization

Organization Structure:

• Organizational Units (OUs): Logical groupings of accounts within the organization. OUs allow you to apply policies to groups of accounts rather than individual accounts. For example, you might create OUs for "Production," "Development," and "Testing"
• Consolidated Billing: A feature that allows you to pay for all AWS charges from a single account. This simplifies billing management and can provide volume discounts across all accounts in the organization

__

AWS Control Tower:

Control Tower Fundamentals:

• What Control Tower is: A service that helps you set up and govern a secure, multi-account AWS environment based on AWS best practices. It provides a pre-configured landing zone with security and compliance controls
• Landing Zone: A well-architected, multi-account AWS environment that follows security and compliance best practices. Control Tower automatically creates this environment with proper account structure and security controls

Control Tower Features:

• Guardrails: Pre-configured security controls that help you maintain compliance and security across your organization. Guardrails can be preventive (blocking actions) or detective (monitoring and alerting)
• Account Factory: A service that automatically creates new accounts with the proper security controls and configurations. This ensures all new accounts follow your organization's security standards
• Centralized Governance: The ability to manage security, compliance, and operational policies from a central location. This reduces administrative overhead and ensures consistent policy enforcement

__

Service Control Policies (SCPs):

SCP Fundamentals:

• What SCPs are: JSON policies that control which AWS services and actions are available to users and roles in member accounts. SCPs act as permission boundaries and can prevent users from performing unauthorized actions
• Permission Boundaries: SCPs define the maximum permissions that can be granted to users and roles. Even if an IAM policy grants more permissions, the SCP will limit what the user can actually do

SCP Management:

• Policy Types: SCPs can be attached at the organization, OU, or account level. Organization-level policies apply to all accounts, OU-level policies apply to accounts in that OU, and account-level policies apply to specific accounts
• Inheritance: SCPs are inherited from parent levels. If an account belongs to an OU that has an SCP, and the organization also has an SCP, both policies will be evaluated. The most restrictive policy takes precedence
• Compliance Enforcement: SCPs help enforce compliance requirements by preventing users from performing actions that violate security policies. For example, you can prevent users from creating resources in certain regions or using specific services

__

Resource Policies:

Resource Policy Fundamentals:

• What Resource Policies are: Policies attached directly to AWS resources that control who can access those resources and what actions they can perform. Unlike IAM policies, resource policies are attached to the resource itself
• Cross-Account Access: Resource policies enable secure access to resources across different AWS accounts. For example, an S3 bucket policy can allow users from another account to access specific objects in the bucket

Policy Implementation:

• Service-Specific Policies: Different AWS services have their own resource policy formats. S3 bucket policies, IAM role trust policies, and KMS key policies are examples of resource policies
• Policy Evaluation: When a user requests access to a resource, AWS evaluates both the user's IAM permissions and the resource policy. Both must allow the action for access to be granted
• Security Benefits: Resource policies provide fine-grained control over resource access and help implement the principle of least privilege. They also enable secure cross-account resource sharing

____

Analogy: A Corporate Headquarters System

Imagine you're managing a corporate headquarters that oversees multiple branch offices across different regions.

AWS Organizations: Your corporate headquarters that manages all branch offices from a central location. The headquarters has authority over all branches and can create new offices as needed.

Control Tower: Your corporate security system that ensures all branches follow company policies automatically. New branches are created with built-in security controls and compliance standards.

Service Control Policies: Your corporate policies that all branches must follow regardless of their individual preferences. These policies prevent branches from taking actions that violate company standards.

Resource Policies: Your access cards that work across different branch locations. Employees can access specific resources at other branches based on their role and the resource owner's permission.

Multi-Account Security: Your comprehensive security system that protects the entire corporate network while allowing controlled access between branches when needed.

____

Common Applications:

• Enterprise Management: Centralized governance of multiple AWS accounts for large organizations
• Compliance: Enforcing security and compliance policies across all accounts
• Cost Management: Consolidated billing and cost allocation across accounts
• Security: Implementing consistent security controls and access policies
• DevOps: Managing development, testing, and production environments in separate accounts

____

Quick Note: The "Multi-Account Foundation"

• Use AWS Organizations to centrally manage multiple accounts and reduce administrative overhead
• Implement Control Tower for automated security and compliance controls
• Use SCPs to enforce security policies and prevent unauthorized actions
• Leverage resource policies for secure cross-account resource sharing
• Regularly audit and review policies to ensure they meet your security requirements