Full Report
Unlock the Power of AWS Resource Control Policies: Enforce Security and Streamline Governance Across Your Organization.
Analysis Summary
# Best Practices: Implementing AWS Resource Control Policies (RCPs)
## Overview
This summary outlines best practices for leveraging AWS Resource Control Policies (RCPs) to enforce mandatory security constraints and standards across all resources within an AWS Organization. RCPs function as resource policy equivalents to SCPs, preventing undesirable configurations (like overly permissive resource policies) even if underlying IAM or resource policies attempt to grant broader access. They are critical for data perimeter enforcement and standardizing security posture across heterogeneous environments.
## Key Recommendations
### Immediate Actions
1. **Review and Adopt Sample Policies:** Immediately review the updated policies in the AWS `data-perimeter-policy-examples` repository, specifically focusing on the sample RCPs provided there.
2. **Implement Identity Perimeter Baseline:** Deploy a baseline RCP containing the `EnforceOrgIdentities` statement to restrict IAM role assumption permissions such that only principals within your Organization or pre-approved third-party vendors can assume roles.
### Short-term Improvements (1-3 months)
1. **Mandate Encryption in Transit:** Create and deploy an RCP requiring resource access (e.g., S3 buckets) to use modern TLS versions (like TLS 1.3) by enforcing minimum TLS requirements in relevant resource policies organization-wide.
2. **Restrict OIDC Access:** Implement the `EnforceTrustedOIDCTenants` statement within an RCP to explicitly limit the external OpenID Connect (OIDC) tenants allowed to establish trust relationships with your AWS environment.
3. **Test and Validate in Sandbox:** Define and apply a pilot RCP to a dedicated sandbox AWS account to validate its intended effects without impacting production workloads.
### Long-term Strategy (3+ months)
1. **Establish Formal Data Perimeter Controls:** Fully integrate RCPs as the foundational enforcement mechanism for your AWS Data Perimeter strategy, ensuring all resource policies adhere to defined organizational mandates.
2. **Develop RCP Change Management:** Establish a formal, strict change control process for modifying or removing any production-impacting RCP, treating them as critical infrastructure components.
3. **Document Incident Traceability:** Create internal documentation and train operational teams on how to interpret generic `AccessDenied` errors to specifically identify when an RCP is blocking an action, improving troubleshootability.
## Implementation Guidance
### For Small Organizations
- **Focus on Critical Boundaries:** Prioritize RCP deployment to enforce the most immediate external exposure risks, such as preventing public access to S3 buckets and blocking external role assumption, using simple, well-defined policies from the samples.
- **Direct Application:** Apply RCPs directly to the Organization root initially, provided there are no existing complex OU structures that require granular testing first.
### For Medium Organizations
- **OU-Level Rollout:** Utilize OUs to perform a controlled, phased deployment. Apply new RCPs first at the OU level for Development/Testing environments before promoting them to Staging and finally Production OUs.
- **Vendor Management Integration:** Use RCPs tailored with specific trusted third-party identifiers (vendors) for role assumption control, aligning the allowed principals with existing vendor management agreements.
### For Large Enterprises
- **Comprehensive Phased Deployment:** Implement a strict, multi-stage adoption pipeline: Sandbox $\rightarrow$ Development $\rightarrow$ Staging $\rightarrow$ Pilot Production Accounts $\rightarrow$ Production OUs. This limits the blast radius of any misconfiguration.
- **Architectural Review Requirement:** Make the review and approval of any new or modified RCP a mandatory step in the architecture review board (ARB) or security review process before deployment.
- **Account Mobility Strategy:** Implement continuous monitoring to ensure that accounts moved between OUs retain the necessary security posture, recognizing that RCPs do not travel with the account if organization structure changes.
## Configuration Examples
The following configurations reference key statements available in AWS sample policies demonstrating functionality:
| Objective | Applicable Statement ID (Reference) | Expected Effect via RCP |
| :--- | :--- | :--- |
| **Prevent External Role Assumption** | `EnforceOrgIdentities` | Restricts `sts:AssumeRole` calls to principals only within the Organization or explicitly trusted external accounts. |
| **Enforce TLS Requirement (e.g., S3)** | (Related to enforcing specific transport layer security requirements on resource policies) | Denies interactions with the resource if the request does not meet the mandated encryption standard (e.g., TLS 1.2+). |
| **Limit OIDC Trust** | `EnforceTrustedOIDCTenants` | Limits which external OIDC identity providers can establish trust relationships with roles or resources in your accounts. |
*Note: Due to the nature of RCPs, the actual JSON policy syntax is complex and depends heavily on the AWS samples provided in the referenced repository.*
## Compliance Alignment
- **NIST CSF:** Aligned strongly with **PR.PT (Protect: Technical Controls)** and aspects of **ID.AM (Identify: Access Management)** by enforcing preventative technical controls across all resources regardless of local configuration.
- **ISO 27001/27002:** Supports control A.13.1 (Network controls) and A.9.2 (Access control) by centrally mandating access criteria for resources.
- **CIS Benchmarks:** Reinforces foundational security principles by enforcing baseline security standards across the entire cloud boundary, analogous to organization-wide guardrails.
## Common Pitfalls to Avoid
1. **"Big Bang" Deployment:** Do not deploy a restrictive RCP across the entire Organization root in one step. This guarantees operational disruption if undocumented dependencies exist.
2. **Sole Means of Protection Reliance:** Do not rely on an RCP as the *only* barrier against a misconfiguration. If an RCP is removed, moved, or modified, the underlying permissive resource/IAM policy becomes active instantly, leading to a security incident.
3. **Ignoring Generic Error Messages:** Assume that any `AccessDenied` error encountered after RCP application might be due to the RCP. Poor initial documentation on expected error codes will lead to prolonged troubleshooting for engineers unaware of the central control.
4. **Forgetting Account Mobility:** Do not assume that an account moved from a restricted OU to a less-restricted OU (or a different Organization) will retain the RCP's protection; the policy is tied to the administrative unit boundary, not the account itself.
## Resources
- **AWS Data Perimeter Examples Repository:** Review the `data-perimeter-policy-examples` GitHub repository for official and recommended RCP JSON policy structures.
- **AWS RCP Documentation:** Consult official AWS documentation for detailed syntax restrictions and behavior nuances concerning RCPs compared to SCPs. (Defanged: Users should search for "AWS Resource Control Policies" documentation).