Detections
Analytics

Ensure wildcards(*) are only at end of strings in Action of AWS Organization policies

LOW

Description

Service control policies (SCP) syntax does not support the element 'Condition' with effect 'Allow'; only 'Deny' is supported here.
References:
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_syntax.html

Remediation

In AWS Console -

  1. Sign in to the AWS console and go to the Organizations console.
  2. Under Policy Management, select Policies.
  3. Choose the policy you wish to edit.
  4. Update accordingly.

In Terraform -

  1. In the aws_organizations_policy resource, edit the policy Statement to have valid syntax.

References:
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_policy

Policy Details

Rule Reference ID: AC_AWS_0410
CSP: AWS
Remediation Available: Yes
Domain: Security Best Practices
Resource: aws_organizations_policy
Resource Category: Identity and Access Management (IAM)
Resource Type: Policy

Frameworks