Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Resource Control Policies (RCPs) for AWS Organizations

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that Resource Control Policies (RCPs) are enabled for AWS Organizations in order to establish a centralized mechanism to enforce governance and control over resource access and usage across all member accounts. This helps ensure compliance, prevent unauthorized actions, and reduce security risks by restricting access to only approved services and configurations.

This rule can help you work with the AWS Well-Architected Framework.

Security

Resource Control Policies (RCPs) are organizational policies that centrally manage the maximum permissions for cloud resources within an AWS Organization. By implementing RCPs, you can enforce consistent access controls across multiple accounts. For example, you can restrict access to S3 buckets in your accounts so that they can only be accessed by principals that belong to your AWS organization. RCPs do not directly grant permissions. Instead, they set upper limits on what permissions can be assigned to resources and principals. To actually authorize access, you must create specific IAM policies, such as identity-based or resource-based policies. Along with Service Control Policies (SCPs), RCPs help you to centrally establish a data perimeter across your AWS cloud environment, effectively mitigating the risk of unintended access.


Audit

To determine if Resource Control Policies (RCPs) are enabled for your AWS Organizations, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console using your AWS Organization management account credentials.

02 Navigate to AWS Organizations console available at https://console.aws.amazon.com/organizations/.

03 In the left navigation panel, under AWS accounts, choose Policies. Policies in AWS Organizations allow you to manage different features and settings of AWS accounts within your organization.

04 In the Supported policy types section, check the Status column for the "Resource control policies" policy type. If Status is set to Disabled, Resource Control Policies (RCPs) are not enabled for your AWS Organization.

Using AWS CLI

01 Run organizations list-roots command (OSX/Linux/UNIX) with custom query filters to detemine if Resource Control Policies (RCPs) are enabled for your AWS Organization. This command can be called only from the organization's management account or from a member account designated as a delegated administrator:

aws organizations list-roots
	--query 'Roots[*].PolicyTypes[?Type==`RESOURCE_CONTROL_POLICY`].Status | []'

02 The command output should return the operational state of the Resource Control Policies at the root of your organization:

[]

If the organizations list-roots command output returns an empty array (i.e., []) as shown in the example above, Resource Control Policies (RCPs) are not enabled for your AWS Organization.

Remediation / Resolution

To ensure that Resource Control Policies (RCPs) are enabled and configured for your AWS Organizations, perform the following operations:

RCPs are available only in AWS Organizations that have all features enabled. To ensure that your organizations have all features enabled, follow the steps outlined on this page.

Using AWS Console

01 Sign in to the AWS Management Console using your AWS Organization management account credentials.

02 Navigate to AWS Organizations console available at https://console.aws.amazon.com/organizations/.

03 Before you can create and attach a Resource Control Policy (RCP) to your AWS Organization, you must enable that policy type for use. In the left navigation panel, under AWS accounts, choose Policies to view the policy types supported by AWS Organisations.

04 In the Supported policy types section, click on the Resource control policies link, and choose Enable Resource control policies to enable Resource Control Policies (RCPs) for your organization. After RCPs are enabled, the console displays a list of available policies of the specified type. You will see a new policy named RCPFullAWSAccess. This is an automatically created, AWS-managed policy attached to every entity in your organization (root, OUs, and accounts). RCPFullAWSAccess grants all principals full access to the organization's resources. Therefore, until you create and attach your own Resource Access Policies (RCPs), all of your existing IAM permissions continue to operate as they did.

05 On the Resource control policies page, choose Create policy, and perform the following actions to create a new Resource Control Policy:

  1. Enter a unique name for the new policy in the Policy name box.
  2. (Optional) Provide a short description of the policy in the Policy description - optional text box.
  3. (Optional) Add one or more tag sets by choosing Add tag and then entering a key and a value.
  4. Enter the policy document for your new RCP into the policy editor box. As an example, the following policy limits access to S3 buckets, allowing only principals within your organization to access them. Essentially, if the request does not originate from a principal within our organization or from an AWS cloud service, the access to the S3 buckets will be denied:
    {
    	"Version": "2012-10-17",
    	"Statement": [
    		{
    			"Sid": "EnforceStrictS3AccessControls",
    			"Principal": "*",
    			"Action": "s3:*",
    			"Effect": "Deny",
    			"Resource": "*",
    			"Condition": {
    				"StringNotEqualsIfExists": {
    					"aws:PrincipalOrgID": "o-abcdabcdab"
    				},
    				"BoolIfExists": {
    					"aws:PrincipalIsAWSService": "false"
    				}
    			}
    		}
    	]
    }
    
  5. Choose Create policy to create your new Resource Control Policy (RCP).

06 Select the newly created RCP, choose Actions, and select Attach policy.

07 In the AWS Organization section, select the organizational structure that you want to attach the new policy to, then choose Attach policy. You can attach the policy to the root of your organization, to an OU, or to specific AWS accounts within your organization.

Using AWS CLI

The following commands can be called only from the organization's management account or from a member account designated as a delegated administrator.

01 Run organizations list-roots command (OSX/Linux/UNIX) with custom query filters to describe the root ID of your AWS Organization:

aws organizations list-roots --query 'Roots[*].Id'

02 The command output should return the root ID of your organization:

[
	"r-abcd"
]

03 Run organizations enable-policy-type command (OSX/Linux/UNIX) to enable Resource Control Policies (RCPs) in the root of your AWS Organization:

aws organizations enable-policy-type
	--root-id r-abcd
	--policy-type RESOURCE_CONTROL_POLICY

04 The command output should return the root information available for your organization:

{
	"Root": {
		"Id": "r-abcd",
		"Arn": "arn:aws:organizations::123456789012:root/o-abcdabcdab/r-abcd",
		"Name": "Root",
		"PolicyTypes": [
			{
				"Type": "RESOURCE_CONTROL_POLICY",
				"Status": "PENDING_ENABLE"
			},
			{
				"Type": "SERVICE_CONTROL_POLICY",
				"Status": "ENABLED"
			}
		]
	}
}

05 After you enable Resource Control Policies (RCPs) for your organization, you can create and attach RCPs to the root, any organizational unit (OU), or account in that root. Define a new RCP and save the policy document to a JSON file named cc-resource-control-policy.json. As an example, the following policy limits access to S3 buckets, allowing only principals within your organization to access them. In other words, if the request does not originate from a principal within our organization or from an AWS cloud service, the access to the S3 buckets will be denied:

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "EnforceStrictS3AccessControls",
			"Effect": "Deny",
			"Principal": "*",
			"Action": "s3:*",
			"Resource": "*",
			"Condition": {
				"StringNotEqualsIfExists": {
					"aws:PrincipalOrgID": "o-abcdabcdab"
				},
				"BoolIfExists": {
					"aws:PrincipalIsAWSService": "false"
				}
			}
		}
	]
}

06 Run create-policy command (OSX/Linux/UNIX) to create a new Resource Control Policy (RCP) using the policy document defined at the previous step (i.e., cc-resource-control-policy.json):

aws organizations create-policy
	--type RESOURCE_CONTROL_POLICY
	--description "Enforce strict Amazon S3 access controls"
	--name cc-enforce-s3-access-control-policy
	--content file://cc-resource-control-policy.json

07 The command output should return the configuration information for the new RCP (including the policy ID, i.e., Policy.PolicySummary.Id):

{
	"Policy": {
		"PolicySummary": {
			"Id": "p-0abcd1234a",
			"Arn": "arn:aws:organizations::123456789012:policy/o-abcdabcdab/resource_control_policy/p-0abcd1234a",
			"Name": "cc-enforce-s3-access-control-policy",
			"Description": "Enforce strict Amazon S3 access controls",
			"Type": "RESOURCE_CONTROL_POLICY",
			"AwsManaged": false
		},
		"Content": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"EnforceStrictS3AccessControls\",\"Effect\":\"Deny\",\"Principal\":\"*\",\"Action\":\"s3:*\",\"Resource\":\"*\",\"Condition\":{\"StringNotEqualsIfExists\":{\"aws:PrincipalOrgID\":\"o-abcdabcdab\"},\"BoolIfExists\":{\"aws:PrincipalIsAWSService\":\"false\"}}}]}"
	}
}

08 Run attach-policy command (OSX/Linux/UNIX) to attach the newly created Resource Control Policy (RCP) to the necessary target in your organization. You can attach the policy to the root of your organization, to an OU, or to specific AWS accounts within your organization. As an example, the following command attaches the policy to the root of an organization. If successful, the attach-policy command request does not produce an output:

aws organizations attach-policy
	--policy-id p-0abcd1234a
	--target-id r-abcd

References

Publication date Dec 4, 2024