AWS News Blog: Introducing resource control policies (RCPs), a new type of authorization policy in AWS Organizations

Source URL: https://aws.amazon.com/blogs/aws/introducing-resource-control-policies-rcps-a-new-authorization-policy/
Source: AWS News Blog
Title: Introducing resource control policies (RCPs), a new type of authorization policy in AWS Organizations

Feedly Summary: New Resource Control Policies let you centrally restrict AWS service access across accounts, bolstering security with preventative controls that supersede permissive policies – even for external users. See how these powerful governance tools complement Service Control Policies and integrate with AWS services.

AI Summary and Description: Yes

Summary: The text introduces Resource Control Policies (RCPs) in AWS Organizations, detailing how they provide centralized authorization to limit permissions on AWS resources, enhancing security and compliance in cloud environments. This feature can play a critical role for security and compliance professionals looking to establish robust data perimeter controls across their AWS ecosystems.

Detailed Description:

The introduction of Resource Control Policies (RCPs) represents a significant advancement in managing permissions within AWS Organizations. RCPs are designed to enforce strict access controls on AWS resources, thereby strengthening the security posture of organizations using AWS.

Key Points:

– **Centralized Control**: RCPs are managed centrally through AWS Organizations, which allows organizations to set maximum available permissions on resources across all AWS accounts.

– **Prevention of External Access**: RCPs help establish a data perimeter within AWS environments, ensuring that external access to resources is restricted.

– **Integration with Existing Services**: Initially, RCPs support several key AWS services, including:
– Amazon S3
– AWS Security Token Service (STS)
– AWS Key Management Service (KMS)
– Amazon Simple Queue Service (SQS)
– AWS Secrets Manager

– **Complementarity with SCPs**: While RCPs are similar to Service Control Policies (SCPs), they operate independently and serve different purposes. SCPs limit permissions granted to individuals within the organization, whereas RCPs restrict permissions granted to resources themselves.

– **Implementation Flexibility**: RCPs allow central IT teams to maintain control over permissions. This means that even if developers provide broad access, RCPs can enforce appropriate restrictions based on organizational policies.

– **Policy Creation and Management**: RCPs are defined in JSON format, allowing for precise control over who can access resources based on specific conditions (like organizational identity). For example:
– A policy can deny access to S3 buckets for anyone outside the organization but allow full access for internal principals.

– **Quotas and Limits**: Each RCP can hold up to 5,120 characters, and organizations can maintain up to 1000 such policies.

– **Testing and Deployment Best Practices**: Before implementing RCPs organization-wide, it is recommended to test them in individual accounts or organizational units (OUs) to gauge impact.

– **Integration with CI/CD**: RCPs can be integrated into existing CI/CD pipelines, allowing for automated security compliance checks and policy enforcement, thus facilitating large-scale management of access controls.

– **Drift Detection**: AWS Control Tower supports drift detection for RCPs, alerting organizations if policies are modified or removed outside approved channels, thus supporting consistent governance.

– **Strategic Security Model**: RCPs, when used along with SCPs, help organizations develop a comprehensive security baseline, forming part of a defense-in-depth security model.

In conclusion, the introduction of Resource Control Policies is a pivotal moment for organizations utilizing AWS. By providing a mechanism for consistent permission controls across all resources, security and compliance teams can significantly enhance their AWS security frameworks, ensuring that organizational guidelines are followed meticulously. This shift underscores the importance of centralized governance in modern cloud security practices.