A short post this week about a site I found that houses AWS Service Control Policy (SCP) examples.
This past week I stumbled over a website that has a neat repository of SCP examples. SCPs are special IAM policies that can be applied at the Organization level inside of AWS, and they take precedence over policies define at the account level. This lets you do things like block users from looking at billing and messing around with CloudTrail/GuardDuty/Config settings, among other things. This is very useful when you have several AWS accounts linked to an organization and you want to consistently apply a set of policies across these accounts. This saves you the trouble of having to setup the same policy inside of each account individually.
The SCP repository even has a nifty tool that lets you select multiple policy examples, and combine them into a single IAM policy JSON example.
Yeah, still haven’t had a chance to work on my APIBan automation yet. Maybe I’ll get lucky this coming week.