Get Your Free SCPs
Download these free and essential SCPs today to fortify your cloud security. These 5 SCPs help you with 5 very specific use cases to keep your cloud secure.
1. Prevent Perimeter Breaches
This SCP denies identities the ability to bypass network controls and helps prevent holes in your cloud perimeter. Specifically, it blocks identities that are not authorized by AWS IAM from using presigned URLs – an easy method to use to avoid authentication. Specifically, these help prevent unauthorized access to SageMaker resources and Lambda functions.
2. Block Tampering of Security Controls
This SCP addresses some common security controls your organization may want to protect, but it is not an exhaustive list. Specifically, it blocks the tampering of log monitoring and security controls in CloudTrail, EC2, GuardDuty, S3 and more.
3. Uphold Security Best Practices
This SCP is set to enforce some common best practices your organization may want to uphold moving forward. For example, your team may have turned on default encryption for EBS volumes to meet compliance measures, turned off over-permissive default VPCs, or blocked identities from creating IAM users and access keys. It is easy to add any other infrastructure element limitations that make sense for your organization; this is just a strong starting point.
4. Enforce Encryption of Files
This SCP will deny anyone from uploading unencrypted files to S3 – except for any known exceptions you want to add in. First, it denies any file upload that isn’t encrypted, and second, it must be a specific type of encryption. This is a great policy to use where you want centralized controls (as opposed to bucket by bucket access control) like in the case of a production account.
5. Enforce Separation of Duties
Limit who can attach IAM policies and prevent privilege escalation with this SCP. Again, this is not an exhaustive list of permissions, but does prevent manipulation of IAM users and roles. The second half allows you to identify an assigned role you want to perform IAM activities. Optional addition for SSO users.