Suspend Actions In Account Before Deletion

• Suspend Actions In Account Before Deletion
  • Policy Explanation
    • Purpose
    • Policy Elements
  • Usage
    • When to Use
    • Benefits
    • Potential Drawbacks
  • Conclusion
  • Sources

Suspend all actions in an account OU before deletion. Effectively a scream test.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "PreventActionsInSuspendedOU",
      "Effect": "Deny",
      "NotAction": [
        "support:*",
        "ce:*",
        "aws-portal:ViewBilling",
        "budgets:*"
      ],
      "Resource": [
        "*"
      ],
      "Condition": {
        "ArnNotLike": {
          "aws:PrincipalArn": [
            "arn:*:iam::*:role/security-audit",
            "arn:*:iam::*:role/OrganizationAccountAccessRole",
            "arn:*:iam::*:role/stacksets-exec-*",
            "arn:*:iam::*:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig"
          ]
        }
      }
    }
  ]
}

Policy Explanation

Purpose

This policy is designed to prevent actions in OUs that are suspended, except for a predefined set of IAM roles. It ensures that only specific administrative and service roles can perform certain actions, maintaining control over critical operations even in suspended states.

Policy Elements

• Version: Specifies the version of the policy language. In this case, it is 2012-10-17.
• Statement: Contains the main policy elements.
  • Sid (Statement ID): A unique identifier for the statement, PreventActionsInSuspendedOU.
  • Effect: Set to Deny, indicating that the policy denies access.
  • NotAction: Lists the actions that are not denied. This means all actions except the ones listed here are denied. The allowed actions are:
    • support:*: All AWS Support actions.
    • ce:*: All Cost Explorer actions.
    • aws-portal:ViewBilling: Viewing AWS billing information.
    • budgets:*: All actions related to AWS Budgets.
  • Resource: Specifies the resources to which the policy applies. Here, it applies to all resources ("*").
  • Condition: Adds conditions to the policy.
    • ArnNotLike: Ensures the policy applies only if the principal's ARN (Amazon Resource Name) does not match the specified patterns. The exempted roles are:
      • arn:*:iam::*:role/security-audit: The security audit role.
      • arn:*:iam::*:role/OrganizationAccountAccessRole: The Organization Account Access Role.
      • arn:*:iam::*:role/stacksets-exec-*: Roles used by StackSets for execution.
      • arn:*:iam::*:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig: The service role for AWS Config.

Usage

When to Use

• To enforce strict controls on actions within OUs that are in a suspended state.
• To ensure only specific roles can perform critical actions related to support, cost management, billing views, and budgets.

Benefits

• Enhances security by restricting actions in suspended OUs.
• Ensures financial and operational visibility is maintained through allowed billing and cost management actions.
• Allows critical roles and services to operate without interruption.

Potential Drawbacks

• Misconfiguration of roles and conditions could inadvertently deny necessary actions.
• Overly restrictive policies might hinder necessary operational tasks if not properly exempted.

Conclusion

This SCP provides a robust framework for controlling actions in suspended OUs, allowing only essential roles to bypass the restrictions. It helps maintain security and operational efficiency while ensuring that critical financial and support services remain accessible. Careful implementation and regular review of the roles and conditions specified in the policy are crucial to its effectiveness.

Sources

• PrimeHarbor primeharbor