Detections
Analytics

Ensure Effect is set to 'Deny' if Condition is used in AWS Organization policies

LOW

Description

Service control policies (SCP) syntax will only allow wildcard characters for an element if it is used by itself or at the end of a string.
References:
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_syntax.html

Remediation

In AWS Console -

  1. Sign in to the AWS console and go to the Organizations console.
  2. Under Policy Management, select Policies.
  3. Choose the policy you wish to edit.
  4. Update accordingly.

In Terraform -

  1. In the aws_organizations_policy resource, edit the policy Statement to have valid syntax.
  2. For Condition entries, use explicit Deny options as needed.

References:
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_policy

Policy Details

Rule Reference ID: AC_AWS_0409
CSP: AWS
Remediation Available: Yes
Domain: Security Best Practices
Resource: aws_organizations_policy
Resource Category: Identity and Access Management (IAM)
Resource Type: Policy

Frameworks