SEC03-BP05: Define permission guardrails for your organization

Establish common controls that restrict access to all identities in your organization. For example, you can restrict access to specific AWS Regions, or prevent your team from deleting common resources, such as an IAM role used for your central security team.

Implementation guidance

Permission guardrails are organization-wide controls that establish boundaries for what actions can be performed by any identity in your AWS environment. These guardrails help ensure consistent security policies across all accounts and prevent accidental or malicious actions that could compromise your security posture.

Key steps for implementing this best practice:

1. Identify organizational security requirements:
   • Define security policies that apply across all accounts
   • Identify actions that should be restricted organization-wide
   • Determine which AWS services should be allowed or denied
   • Establish data residency and compliance requirements
   • Document emergency access exceptions
2. Implement Service Control Policies (SCPs):
   • Create SCPs to enforce organization-wide restrictions
   • Apply SCPs at the organization, organizational unit (OU), or account level
   • Use deny policies to restrict dangerous actions
   • Implement allow lists for approved services and regions
   • Test SCPs in non-production environments first
3. Define permission boundaries:
   • Create permission boundaries for IAM roles and users
   • Establish maximum permissions that can be granted
   • Implement boundaries for different types of workloads
   • Use boundaries to prevent privilege escalation
   • Document boundary policies and their purpose
4. Implement resource-based policies:
   • Use resource-based policies for additional access control
   • Implement cross-account access restrictions
   • Define policies for sensitive resources like KMS keys
   • Establish bucket policies for S3 resources
   • Use resource policies to enforce encryption requirements
5. Monitor and enforce compliance:
   • Set up monitoring for policy violations
   • Implement automated remediation for non-compliant resources
   • Create alerts for attempts to bypass guardrails
   • Regularly audit guardrail effectiveness
   • Generate compliance reports for management
6. Maintain and update guardrails:
   • Regularly review and update guardrail policies
   • Adapt guardrails to new services and features
   • Incorporate lessons learned from security incidents
   • Update guardrails based on changing business requirements
   • Document changes and their rationale

Implementation examples

Example 1: Service Control Policy to restrict regions and prevent security role deletion

Code snippet hidden for website display

Example 2: Permission boundary for developer roles

Code snippet hidden for website display

Example 3: AWS Config rules for guardrail compliance

Code snippet hidden for website display

AWS services to consider

AWS Organizations

Helps you centrally manage and govern your environment as you scale your AWS resources. Use Service Control Policies (SCPs) to implement organization-wide permission guardrails.

AWS Identity and Access Management (IAM)

Enables you to manage access to AWS services and resources securely. Use permission boundaries and policies to implement guardrails at the identity level.

AWS Config

Enables you to assess, audit, and evaluate the configurations of your AWS resources. Use Config rules to monitor compliance with your guardrail policies.

AWS Control Tower

Provides a simplified way to set up and govern a secure, multi-account AWS environment based on best practices. Includes pre-built guardrails for common security requirements.

AWS CloudTrail

Records API calls for your account and delivers log files to you. Use CloudTrail to monitor attempts to bypass guardrails and detect policy violations.

Amazon EventBridge

A serverless event bus that makes it easy to connect applications together using data from your own applications, integrated Software-as-a-Service (SaaS) applications, and AWS services. Use EventBridge to trigger automated responses to guardrail violations.

Benefits of defining permission guardrails

• Consistent security posture: Ensures uniform security policies across all accounts and workloads
• Reduced risk of security incidents: Prevents dangerous actions that could compromise security
• Simplified compliance: Helps meet regulatory requirements through automated enforcement
• Operational efficiency: Reduces the need for manual security reviews and interventions
• Scalable governance: Provides a framework that scales with organizational growth
• Proactive protection: Prevents security issues before they can occur
• Clear boundaries: Establishes clear expectations for what actions are allowed

Related resources

Related Resources

• AWS Well-Architected Framework - Define permission guardrails for your organization
• Service control policies (SCPs)
• Permissions boundaries for IAM entities
• Guardrails in AWS Control Tower
• How to use service control policies to set permission guardrails across accounts in your AWS organization
• How to use AWS IAM Access Analyzer to set permission guardrails