Home

Awesome

Terraform AWS Service Control Policies

GitHub Super-Linter

This repo is a collection of AWS Service Control Policies (SCPs) written in Hashicorp Terraform to be used in AWS Organizations.

About Service Control Policies

Considerations

Permission Logic

alt text

Content

Usage

An example main.tf for the module to deny the ability to delete CloudTrail Trails:

module "cloudtrail" {
  source      = "./modules/cloudtrail"

  target_id = "123456789012"
  aws_region = "us-east-1"
  shared_credentials_file = "~/.aws/credentials"
  customprofile = "default"
}

Deployment

To Deploy all of the AWS security best practice SCPs navigate to security_controls_scp:

You will receive an error related similar to ConstraintViolationException: You have attached the maximum number of policies to the specified target. when you deploy ALL of the security related SCPs. We recommend only deploying the SCPs you need by leveraging the -target flag in your terraform apply command. An example command to deploy only the S3 and Lambda SCPs is below:

To Remove the SCPs:

Deployment Dependencies

Common Errors

Enabled Policy Types

error creating Organizations Policy Attachment: PolicyTypeNotEnabledException: This operation can be performed only for enabled policy types.
status code: 400, request id: 2b8ecgeb-34h3-11e6-86fb-275c76986dec

SCP functionality must be enabled on the root. See https://github.com/terraform-providers/terraform-provider-aws/issues/4545 for more information

Minimum SCP Requirement

aws_organizations_policy_attachment.deny_orgs_leave_attachment: ConstraintViolationException: You cannot remove the last policy attached to the specified target. You must have at least one attached at all times.
status code: 400, request id: 2d6c75b3-5757-13e9-ab76-518b756aebd3

You must have one SCP attached to an account or OU at all times. See: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_reference_limits.html for more information.

Conflicting Policy Attachment

error creating Organizations Policy Attachment: ConcurrentModificationException: AWS Organizations can't complete your request because it conflicts with another attempt to modify the same entity. Try again later. status code: 400, request id: h725f9g7-1234-12e9-h746-ch123ab12345

Occasionally, if you try to assign many SCPs to one target at the same time, it could error out. If you see this error simply run terraform apply again.

Limitation of Liability

Please view the License for limitations of liability.