Detections
Analytics
2.1.2 Ensure authorization guardrails for all AWS Organization accounts
Information
Ensure that one or more baseline authorization policies such as Service Control Policies (SCPs) and/or Resource Control Policies (RCPs) are attached to all member accounts in AWS Organizations in accordance with organizational security requirements. Authorization policies act as preventive permission guardrails: SCPs define the maximum available permissions for IAM principals within accounts, while RCPs define the maximum available permissions for resources within accounts. These policies can enforce security invariants such as preventing disabling of key security services, restricting use of unapproved AWS Regions, or blocking external access to sensitive resources.Authorization policies do not grant permissions but instead set organization-wide limits on what actions principals can perform (SCPs) and what access can be granted to resources (RCPs), regardless of local IAM or resource-based policies. Without baseline guardrail authorization policies, each account can grant excessive or inconsistent permissions that disable logging, weaken security services, allow use of unapproved Regions and services, or permit unintended external access to resources. Attaching standard authorization policies to all member accounts enforces preventive, centralized control over high-risk actions and access patterns, supports least-privilege and role-based access control at scale, and helps ensure that all accounts and resources operate within the organization's defined security baseline.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
Design or confirm baseline guardrail SCPs.- From the AWS Organizations console, go to Policies -> Service control policies.
- If you already have standard guardrail SCPs that implement your security baseline, note their names.
- If you do not have such policies, choose Create policy and create at least one baseline guardrail SCP that encodes non-negotiable security requirements.
-
Do the same step as above but for RCPs if needed. From the AWS Organizations console, go to Policies -> Resource control policies.
-
Attach guardrail authorization policies to the root and/or OUs. In AWS Organizations, choose AWS accounts, then select the Root of the organization.
-
Go to the Policies tab, then within section for Service control policies, choose Attach, and select the baseline guardrail SCP(s) you identified or created in step 1.
-
If using RCPs, then within section for Resource control policies, choose Attach, and select the baseline guardrail RCP(s) you identified or created in step 2.
-
If your design uses different guardrails per OU (for example, stricter policies for production OU), select each OU in turn and attach the appropriate guardrail SCPs and RCPs to those OUs.
-
AWS recommends testing authorization policies in a staging OU before attaching them broadly to the root to avoid unintended service disruption.
Impact:
Enforcing baseline authorization policies for all member accounts can initially block some existing patterns, such as use of unapproved Regions, disabling security services, or granting broader permissions than the guardrails allow. Teams may need to adjust IAM policies, deployment pipelines, and exception processes so legitimate use cases remain possible within the new guardrails. This can introduce short-term operational overhead and require careful testing, especially when attaching new policies at the root or OU level.
See Also
Item Details
Audit Name: CIS Amazon Web Services Foundations v7.0.0 L2
Category: ACCESS CONTROL
References: 800-53|AC-2(1), 800-53|AC-3
Plugin: amazon_aws
Control ID: 8931353c095ca0135ad505032fd2035e8c87947e95e4d67a3ce45ad476127155