AWS Certified Security: Organization-Level Permission Management
Implement organization policies to manage permissions (for example, SCPs, RCPs, AI service opt-out policies, declarative policies).
Curriculum Overview: Implementing Organization Policies
This document outlines the curriculum for mastering centralized governance within AWS Organizations. You will learn to implement guardrails and management policies that enforce security standards across an entire multi-account environment.
Prerequisites
Before starting this module, students should possess the following foundational knowledge:
- AWS Organizations Fundamentals: Understanding of the Root, Organizational Units (OUs), and Member Accounts.
- IAM Policy Syntax: Proficiency in writing JSON-based Identity-Based policies (Statement, Effect, Action, Resource).
- The Principle of Least Privilege: Conceptual understanding of why and how to restrict access.
- AWS CLI/Console Basics: Ability to navigate the management console and execute basic CLI commands.
Module Breakdown
| Module | Topic | Focus Area | Difficulty |
|---|---|---|---|
| 1 | Service Control Policies (SCPs) | Centralized guardrails and permission boundaries. | Advanced |
| 2 | Resource Control Policies (RCPs) | Centrally managing resource-based access across accounts. | Advanced |
| 3 | AI Service Opt-Out Policies | Governing data privacy for AI/ML services. | Intermediate |
| 4 | Tag & Backup Policies | Enforcing resource metadata and disaster recovery rules. | Intermediate |
| 5 | Policy Evaluation Logic | Calculating effective permissions (SCP + IAM + Resource Policy). | Expert |
Learning Objectives per Module
Module 1: Service Control Policies (SCPs)
- Define SCPs as guardrails that set the maximum available permissions.
- Implement "Deny-Lists" to prevent member accounts from disabling security tools (e.g., CloudTrail, GuardDuty).
- Apply SCPs to the Root user of member accounts, a critical distinction from standard IAM policies.
Module 2: Resource Control Policies (RCPs)
- Distinguish between identity-centric (SCP) and resource-centric (RCP) organizational controls.
- Configure RCPs to restrict cross-account access to sensitive S3 buckets or KMS keys at the organization level.
Module 3: AI Service Opt-Out & Declarative Policies
- Implement AI Service Opt-Out policies to ensure customer content is not used for AWS service improvement.
- Configure Backup policies to automate and enforce standardized backup schedules across OUs.
- Use Tag policies to ensure all resources comply with organizational cost-allocation and tracking requirements.
Architecture & Evaluation Logic
The following diagram illustrates how SCPs act as a filter for permissions. Even if an IAM policy grants Full Access, the SCP can restrict it.
Policy Attachment Strategy
This TikZ diagram visualizes the hierarchical application of policies within an organization structure.
\begin{tikzpicture}[node distance=1.5cm, every node/.style={draw, rectangle, rounded corners, fill=blue!10, align=center}] \node (root) {\textbf{Organization Root}\Attach: FullAWSAccess}; \node (ou) [below of=root, xshift=-2cm] {\textbf{Prod OU}\Attach: DenyDeleteLog}; \node (ou2) [below of=root, xshift=2cm] {\textbf{Dev OU}\Attach: LimitInstances}; \node (acc1) [below of=ou] {Account A}; \node (acc2) [below of=ou2] {Account B};
\draw[->] (root) -- (ou);
\draw[->] (root) -- (ou2);
\draw[->] (ou) -- (acc1);
\draw[->] (ou2) -- (acc2);
\node[draw=none, fill=none, right of=root, xshift=3cm] (label) {\textit{Policies Inherited Downward}};\end{tikzpicture}
Success Metrics
To demonstrate mastery of this curriculum, the learner must be able to:
- Draft a JSON SCP that prevents any user (including root) from leaving an AWS Organization or deleting CloudTrail logs.
- Predict Effective Permissions: Given a scenario with a specific SCP and an IAM policy, correctly identify if an action will be allowed or denied.
- Centralize Data Sovereignty: Successfully configure an AI Service Opt-Out policy that applies to all accounts in a specific geographic OU.
- Audit Compliance: Use the AWS Organizations console or CLI to verify which policies are effective on a specific member account.
Real-World Application
In a professional security environment, these policies solve several critical challenges:
- Preventing Shadow IT: Using SCPs to restrict available regions (e.g., only allowing
us-east-1) to ensure compliance with data residency laws. - Root Account Protection: Since the root user of a member account cannot bypass an SCP, organizations can significantly reduce the risk of a compromised root credential.
- Regulatory Compliance: AI Opt-out policies allow legal teams to guarantee that sensitive data is not being used by third parties (even AWS) for model training, satisfying strict privacy requirements (GDPR/CCPA).
[!IMPORTANT] SCPs do not grant permissions. They only filter them. You must still attach IAM policies to users and roles within the accounts to allow access to resources.