Skip to main content

Restrict Critical Account and Billing Actions

This Service Control Policy (SCP) is designed to restrict critical account and billing actions to specific roles, thereby preventing unauthorized changes that could compromise account security or financial operations. This policy denies a wide range of actions unless performed by specific IAM roles.

Policy Details

Scope: This SCP should be applied to the Root Organizational Unit (OU).

JSON Policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": [
        "account:CloseAccount",
        "account:DeleteAlternateContact",
        "account:DisableRegion",
        "account:EnableRegion",
        "account:PutAlternateContact",
        "account:PutChallengeQuestions",
        "account:PutContactInformation",
        "billing:PutContractInformation",
        "billing:UpdateBillingPreferences",
        "billing:UpdateIAMAccessPreference",
        "iam:CreateAccountAlias",
        "iam:DeleteAccountAlias",
        "iam:DeleteAccountPasswordPolicy",
        "iam:UpdateAccountEmailAddress",
        "iam:UpdateAccountName",
        "iam:UpdateAccountPasswordPolicy",
        "invoicing:PutInvoiceEmailDeliveryPreferences",
        "organizations:LeaveOrganization",
        "payments:CreatePaymentInstrument",
        "payments:DeletePaymentInstrument",
        "payments:MakePayment",
        "payments:UpdatePaymentPreferences",
        "purchase-orders:AddPurchaseOrder",
        "purchase-orders:DeletePurchaseOrder",
        "purchase-orders:ModifyPurchaseOrders",
        "purchase-orders:UpdateConsoleActionSetEnforced",
        "purchase-orders:UpdatePurchaseOrder",
        "purchase-orders:UpdatePurchaseOrderStatus",
        "tax:BatchPutTaxRegistration",
        "tax:DeleteTaxRegistration",
        "tax:PutTaxInheritance",
        "tax:PutTaxInterview",
        "tax:PutTaxRegistration",
        "tax:UpdateExemptions"
      ],
      "Resource": "*",
      "Condition": {
        "StringNotLike": {
          "aws:PrincipalArn": [
            "arn:*:iam::*:role/NAME_OF_YOUR_CLOUD_ENGINEERING_ROLE",
            "arn:*:iam::*:role/stacksets-exec-*",
            "arn:*:iam::*:role/OrganizationAccountAccessRole"
          ]
        }
      }
    }
  ]
}

Policy Breakdown

  1. Effect: Deny
    • Actions: This policy denies a comprehensive list of actions related to account management, billing, IAM, invoicing, payments, purchase orders, and tax settings. This includes actions like closing the account, modifying billing preferences, creating or deleting payment instruments, and leaving the organization.
    • Resources: All resources (*).
    • Condition:
      • The actions are denied unless the request is made by one of the specified IAM roles:
        • "arn:*:iam::*:role/NAME_OF_YOUR_CLOUD_ENGINEERING_ROLE"
        • "arn:*:iam::*:role/stacksets-exec-*"
        • "arn:*:iam::*:role/OrganizationAccountAccessRole"

Key Actions Restricted

  • Account Management:

    • account:CloseAccount
    • account:DeleteAlternateContact
    • account:DisableRegion
    • account:EnableRegion
    • account:PutAlternateContact
    • account:PutChallengeQuestions
    • account:PutContactInformation

  • Billing:

    • billing:PutContractInformation
    • billing:UpdateBillingPreferences
    • billing:UpdateIAMAccessPreference

  • IAM:

    • iam:CreateAccountAlias
    • iam:DeleteAccountAlias
    • iam:DeleteAccountPasswordPolicy
    • iam:UpdateAccountEmailAddress
    • iam:UpdateAccountName
    • iam:UpdateAccountPasswordPolicy

  • Invoicing and Payments:

    • invoicing:PutInvoiceEmailDeliveryPreferences
    • payments:CreatePaymentInstrument
    • payments:DeletePaymentInstrument
    • payments:MakePayment
    • payments:UpdatePaymentPreferences

  • Purchase Orders and Tax:

    • purchase-orders:AddPurchaseOrder
    • purchase-orders:DeletePurchaseOrder
    • purchase-orders:ModifyPurchaseOrders
    • purchase-orders:UpdateConsoleActionSetEnforced
    • purchase-orders:UpdatePurchaseOrder
    • purchase-orders:UpdatePurchaseOrderStatus
    • tax:BatchPutTaxRegistration
    • tax:DeleteTaxRegistration
    • tax:PutTaxInheritance
    • tax:PutTaxInterview
    • tax:PutTaxRegistration
    • tax:UpdateExemptions

Benefits

  • Enhanced Security: Restricts critical account and billing actions to specific roles, reducing the risk of unauthorized changes.
  • Controlled Access: Ensures that only designated roles can perform sensitive operations, maintaining tight control over account management and financial settings.
  • Regulatory Compliance: Helps in maintaining compliance with organizational policies and regulatory requirements by preventing unauthorized actions.

Potential Drawbacks

  • Operational Overhead: Legitimate actions might require additional steps to temporarily allow them, potentially slowing down necessary changes.
  • Role Management Complexity: Managing and ensuring the correct roles are specified and kept up-to-date can add complexity to administrative tasks.

Implementation Steps

  1. Identify Roles:

    • Define and confirm the IAM roles that should be allowed to perform the restricted actions. Replace NAME_OF_YOUR_CLOUD_ENGINEERING_ROLE with the actual role name used in your organization.

  2. Apply the SCP to the Root OU:

    • Navigate to the AWS Organizations console.
    • Select the Root OU.
    • Attach the above SCP to enforce these restrictions across all accounts within the Root OU.

  3. Review and Test

    • Verify that the policy does not interfere with necessary operations by testing in a controlled environment.
    • Monitor for any issues and adjust as necessary.

By implementing this SCP, you can strengthen the security and governance of your AWS accounts, ensuring that only authorized roles can perform critical actions related to account management and billing.

Sources