#
Create Service Control Policy
Warning
We decided to not attach this policy since it caused a lot of problems down the line. Using the OrganizationAccountAccessRole role is fine as long as it is scoped to the specific organization AWS account.
Attaching a SCP to the active OU will prevent any unintended access to the organization's AWS account (client account). To attach one, simply create a new SCP and attach it to the active OU. You can do that by navigating here. Create a new policy named AutoPilotActiveAccount with the following description:
This policy only restricts access to assumed roles that used use the OrganizationAccountAccessRole role. This policy does NOT restrict all other types of access such as SSO access or IAM access.
Now, you can attach the following policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"NotAction": [
"acm:DeleteCertificate",
"acm:DescribeCertificate",
"acm:ImportCertificate",
"acm:AddTagsToCertificate",
"acm:ListCertificates",
"autoscaling:DeleteScheduledAction",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeScheduledActions",
"autoscaling:PutScheduledUpdateGroupAction",
"autoscaling:UpdateAutoScalingGroup",
"backup:ListRecoveryPointsByBackupVault",
"backup:ListTags",
"backup:StartBackupJob",
"cloudformation:CreateStack",
"cloudformation:DeleteStack",
"cloudformation:DescribeStacks",
"cloudformation:GetTemplate",
"cloudformation:UpdateStack",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:DescribeSecurityGroups",
"ec2:RevokeSecurityGroupIngress"
],
"Resource": "*",
"Condition": {
"StringEqualsIgnoreCase": {
"aws:PrincipalType": "AssumedRole"
},
"StringLike": {
"aws:PrincipalArn": "arn:aws:iam::*:role/OrganizationAccountAccessRole"
}
}
}
]
}
Once completed assign that policy to the OU that contains active accounts.
Note
In the case of the staging management account, that OU is ou-oezy-zmb0bkr6.