Detections
Analytics

Ensure Effect is set to 'Deny' if Resource is used in Organization policies

LOW

Description

Service control policies (SCP) syntax does not support the element 'Resource' with effect 'Allow'; only 'Deny' is supported here.
References:
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_syntax.html

Remediation

In AWS Console -

  1. Sign in to the AWS console and go to the Organizations console.
  2. Under Policy Management, select Policies.
  3. Choose the policy you wish to edit.
  4. Update accordingly.

In Terraform -

  1. In the aws_organizations_policy resource, edit the policy Statement to have valid syntax.
  2. For Resource entries, use explicit Deny options as needed.

References:
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_policy

Policy Details

Rule Reference ID: AC_AWS_0407
CSP: AWS
Remediation Available: Yes
Domain: Security Best Practices
Resource: aws_organizations_policy
Resource Category: Identity and Access Management (IAM)
Resource Type: Policy

Frameworks