Ensure that Resource Control Policies (RCPs) are enabled for AWS Organizations in order to establish a centralized mechanism to enforce governance and control over resource access and usage across all member accounts. This helps ensure compliance, prevent unauthorized actions, and reduce security risks by restricting access to only approved services and configurations.
This rule can help you work with the AWS Well-Architected Framework.
Resource Control Policies (RCPs) are organizational policies that centrally manage the maximum permissions for cloud resources within an AWS Organization. By implementing RCPs, you can enforce consistent access controls across multiple accounts. For example, you can restrict access to S3 buckets in your accounts so that they can only be accessed by principals that belong to your AWS organization. RCPs do not directly grant permissions. Instead, they set upper limits on what permissions can be assigned to resources and principals. To actually authorize access, you must create specific IAM policies, such as identity-based or resource-based policies. Along with Service Control Policies (SCPs), RCPs help you to centrally establish a data perimeter across your AWS cloud environment, effectively mitigating the risk of unintended access.
Audit
To determine if Resource Control Policies (RCPs) are enabled for your AWS Organizations, perform the following operations:
Remediation / Resolution
To ensure that Resource Control Policies (RCPs) are enabled and configured for your AWS Organizations, perform the following operations:
RCPs are available only in AWS Organizations that have all features enabled. To ensure that your organizations have all features enabled, follow the steps outlined on this page.References
- AWS Documentation
- AWS Organizations
- Introducing resource control policies (RCPs), a new type of authorization policy in AWS Organizations
- Resource control policies (RCPs)
- RCP evaluation
- RCP syntax
- Resource control policy examples
- Enabling a policy type
- AWS Command Line Interface (CLI) Documentation
- list-roots
- enable-policy-type
- create-policy
- attach-policy