AWS Cloud Operations Blog

Delegated Administrators Guide to Effective Controls in AWS Organizations

Introduction

AWS Organizations provides the capability to centrally manage and govern your AWS environment. As an organization, you can delegate administration of specific AWS services integrated with AWS Organizations to authorized individuals or teams. Implementing effective controls for these delegated administrators is essential to ensuring the security, compliance, and operational efficiency of your AWS environment.

This blog post outlines best practices for using IAM policy conditions, Permission boundaries, and Service Control Policies (SCPs) to enhance control and governance in AWS Organizations. By following this guidance, delegated administrators can:

  • Apply fine-grained access controls through the use of IAM policy conditions in identity-based policies
  • Limit the maximum permissions of IAM users and roles using permission boundaries
  • Control the maximum available permissions for the IAM users and IAM roles in your organization through the application of Service Control Policies (SCPs)
  • Implement a layered approach to controls that provides redundancy and mitigates potential gaps or errors
  • Streamline the management of controls across multiple accounts and Organizational Units (OUs)
  • Simplify the process of adhering to your organization’s security policies and compliance requirements

Getting Started with Controls

Let’s dive into how these control mechanisms can be effectively implemented and managed in your AWS environment. We’ll explore best practices, real-world examples, and key considerations for each type of control.

Implementing layered controls can provide additional safeguards and redundancy. However, it’s important to balance the added security benefits with the complexity of managing multiple overlapping policies. We’ll discuss how to find the right approach for your specific needs.

Understanding Preventative Controls

Preventative controls in AWS are predefined rules or policies that ensure resources adhere to organizational policies and best practices.

  • Conditional Statements: Conditional statements in policies allow you to specify conditions under which a policy is in effect, providing finer-grained control over permissions.
  • Permission Boundaries: Permission boundaries are managed policies that control the maximum permissions a principal (IAM user or role) can have. They limit the permissions granted by the principal’s identity-based policies.
  • Service Control Policies (SCPs): SCP’s are policies that specify an account’s maximum permissions. They can be expressed in JSON or YAML and are attached to organizational units (OUs) or accounts within your AWS Organizations to help enforce permission controls across your organization.

Each mechanism – conditional statements, permission boundaries, and SCPs – has its strengths and can be used independently or in combination. A layered approach provides additional safeguards but may increase complexity. The optimal approach depends on your specific requirements, environment complexity, and internal processes. Carefully consider the tradeoffs between added security benefits and the overhead of managing multiple overlapping policies. Work closely with stakeholders to choose the right balance of control mechanisms that effectively enforce your security and compliance standards.

Diagram showing the overlap of SCP's, Identity-based policies, and permissions boundaries to create effective permissions

Figure 1: Layered approach to effective permissions.

Conditional Statements

Conditions set specific parameters to allow or deny permissions in a policy. They can leverage resource tags, service-specific conditions, or global condition keys.  For more information on the available operators and applications of conditions elements in IAM policies, see IAM JSON policy elements: Condition in the AWS Identity and Access Management User Guide.

AWS Config allows you to assess, audit, and evaluate the configurations of your AWS resources and is essential for multi-account infrastructures, especially when used with AWS Control Tower for detective controls. AWS Control Tower makes it easy for you to set up and govern a secure, multi-account AWS environment.  Let’s explore how to apply conditional statements, permission boundaries, and Service Control Policies (SCPs) to AWS Config..

Using Conditional Statements with Resource Tags: Resource tags are key-value pairs attached to AWS resources, including Identity and Access Management (IAM) users and roles. They enable more granular access control policies based on tags associated with the principal or resource.

The example below restricts AWS Config access by Department. The following policy grants “config:*” permissions only to users tagged with “department”: “audit”.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "config:*",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "aws:PrincipalTag/department": "audit"
        }
      }
    }
  ]
}

This policy ensures only audit team members can perform AWS Config operations, enhancing access control precision.

There are several service-specific conditions, as well as, global condition keys that can be used to apply conditional statements to a policy. For more information, visit AWS global condition context keys in the AWS Identity and Access Management User Guide.

Best Practices for Using Conditional Statements

  1. Specify Conditions for Access: Use conditions in policies to specify when and how permissions are granted. (e.g., IP addresses, time of day, multi-factor authentication)
  2. Use Tags for Resource-Based Conditions: Implement tag-based conditions to control access to resources. This practice allows you to manage permissions based on resource tags.
  3. Combine Multiple Conditions: Use multiple conditions to create more granular policies. Combining conditions can help enforce strict access controls.
  4. Audit and Update Conditions: Regularly audit policies with conditional statements to ensure they remain effective and relevant. Update conditions as your organizational requirements change.

Permission Boundaries

Consider a large financial services company delegating AWS Config administration to an audit team. The company needs to ensure these auditors can perform necessary operations while limiting their maximum permissions to prevent unintended or malicious actions.

Permission boundaries define the maximum permissions a principal (IAM user or role) can have, regardless of their identity-based policies.

Step 1: Create a Permission Boundary Policy

The security team creates a policy that allows all AWS Config operations but explicitly denies the ability to delete Config rules, recorders, or delivery channels. This ensures auditors can manage day-to-day operations without disabling critical Config infrastructure.

Example Permission Boundary Policy:

  1. Log in to the AWS Management Console.
  2. Navigate to the IAM service.
  3. Create a new policy with the following JSON:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": [
        "config:DeleteConfigRule",
        "config:DeleteOrganizationConfigRule",
        "config:DeleteAggregationAuthorization",
        "config:DeleteConfigurationRecorder",
        "config:DeleteDeliveryChannel"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "config:*"
      ],
      "Resource": "*"
    }
  ]
}

Step 2: Create a Permission Set in AWS IAM Identity Center

If the financial services company is using AWS IAM Identity Center, the next step is to create a permission set and apply the permission boundary:

  1. Navigate to the AWS IAM Identity Center service.
  2. Create a new permission set for the AWS Config Auditor role.
  3. Attach necessary policies (e.g., AWS Config Administrator policy) to the permission set.
  4. Edit the permission set and specify the previously created permission boundary policy.

Benefits of This Approach: Limits auditors’ access to defined boundaries, even if identity-based policies grant more permissions; Aligns with the principle of least privilege; Provides confidence in delegating AWS Config administration; Ensures controlled access limited to necessary actions.

By implementing this layered approach, the financial services company can effectively delegate AWS Config administration while maintaining strict control over critical operations. This strategy balances operational needs with security requirements, providing a robust framework for managing permissions in a complex environment.

Best Practices for Using Permission Boundaries

  1. Establish Clear Boundaries: Define permission boundary policies that explicitly limit the maximum permissions for IAM roles and users. Align these boundaries with your organization’s security policies and operational needs.
  2. Enforce the Boundaries: When creating or updating IAM principals (roles and users), always attach the appropriate permission boundary policies. This ensures the principals cannot exceed the defined limits, even if their identity-based policies would grant them more permissions.
  3. Leverage Identity-Based Policies: Use permission boundaries in conjunction with identity-based policies to grant the necessary permissions while still enforcing the maximum allowable access.
  4. Maintain Vigilance: Regularly review and update permission boundary policies to reflect changes in your organization’s security requirements, compliance needs, and operational processes. This helps keep your guardrails effective and up-to-date.

Service Control Policies (SCPs)

Service control policies (SCPs) offer the ability to deny specific actions across an entire organization or Organizational Unit (OU) and apply guardrails to delegated administrator accounts and prevent overly broad permissions. Particularly useful for AWS Config, which allows multiple delegated administrator accounts.

AWS Config integrates with services like Control Tower, enabling detective controls through compliance checks. However, this integration presents risks around Administrators could potentially deleting or modifying rules applied through Control Tower. This could cause drift or compromise security standards and compliance requirements.

Prevent users from disabling AWS Config or changing its rules

This SCP prevents users or roles in any affected account from running AWS Config operations that could disable AWS Config or alter its rules or triggers.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": [
        "config:DeleteConfigRule",
        "config:DeleteConfigurationRecorder",
        "config:DeleteDeliveryChannel",
        "config:StopConfigurationRecorder"
      ],
      "Resource": "*"
    }
  ]
}

Best Practices for Using SCPs

  1. Start Restrictive, Then Expand Thoughtfully: Begin with a baseline SCP that enforces a strict least-privilege model across your organization. This minimizes the risk of granting excessive permissions upfront. As your needs evolve, add permissions incrementally, reviewing the impact on your security and compliance posture.
  2. Protect Critical Operations: Use explicit deny statements in SCPs to prevent actions that could compromise the integrity of your AWS environment. For example, you could deny the ability to delete AWS Config rules or stop the Config configuration recorder, ensuring your detective controls remain intact.
  3. Leverage Organizational Hierarchy: Group accounts with similar permission requirements into Organizational Units (OUs). Apply SCPs at the OU level to streamline management and ensure consistent policy enforcement across related accounts.
  4. Automate Monitoring and Auditing: Integrate your SCP management with AWS CloudTrail and AWS Config to continuously monitor for unauthorized changes or policy violations. This allows you to proactively identify and address any drift from your intended security and compliance standards.
  5. Collaborate Across Teams: Involve stakeholders from security, compliance, and operations teams when defining and reviewing your SCP strategy. This cross-functional approach helps ensure the policies align with your organization’s evolving needs and industry best practices.

Conclusion

Implementing guardrails using SCPs, permission boundaries, and conditional statements is crucial for maintaining a secure and compliant AWS environment. By following these best practices, you can ensure that your organization’s environment operate within defined security and compliance boundaries while enabling delegated administrators to perform their tasks efficiently.

References

Next Steps

  • Implement the best practices for conditional statements, permission boundaries, and SCPs discussed in this post to enhance your AWS Organizations governance. Start with the AWS Organizations Best Practices guide.
  • Set up continuous monitoring of your AWS environment to ensure compliance with your organization’s policies. Consider using AWS Config rules for this purpose.
  • Regularly review and update your access control strategies to align with evolving business needs and security best practices. Use the IAM Access Analyzer to help identify unintended access.

Additional Resources

About the authors

Abraham Musa author photo

Abraham Musa

Abraham is a Cloud Operations Specialist Solutions Architect with the Cloud Foundations team at AWS based out of New York. He specializes in AWS Control Tower, AWS Organizations, AWS Service Catalog, and AWS Config. Abraham is a United States Army Veteran and enjoys traveling.

Craig Edwards author photo

Craig Edwards

Craig Edwards is a World Wide Technologist with the Critical Capabilities team at AWS based out of Boston Massachusetts. He specializes in AWS Config, AWS CloudTrail, AWS Audit Manager and AWS Systems Manager. Craig is a United States Air Force Veteran and when he is not building cloud solutions, he enjoys being a Father and electric vehicles.

Zukhra Salieva author photo

Zukhra Salieva

Zukhra is a DevOps consultant, she specializes in guiding customers through their cloud journey, optimizing and automating cloud operations. She brings expertise in managing code releases, deployments, and building robust cloud infrastructures. Outside of work, she dedicates time to serving her community and enjoys spending time with family.