Enforce controls to make sure that your roles and applications are given only privileges which are essential to perform their intended function.
| Included Policy | Rational |
|---|---|
| Prevent root credentials management in member accounts in AWS Organizations. | Centrally manage root access for member accounts in AWS Organizations. Only allow management account sessions to be able to perform actions on root credentials. Note: An SCP restricts permissions for IAM users and roles in member accounts, including the member account's root user. SCPs have no effect on users or roles in the management account. |
| Deny the root user from performing actions other than modification to S3 bucket policy | Consider configuring an administrative user in AWS IAM Identity Center (successor to AWS Single Sign-On) to perform daily tasks. Restrict use of root user with exceptions for S3 bucket policy changes, if you are frequently locked out of S3 buckets. Refer to Tasks that require root user credentials |
| Deny modifications to specific IAM roles | Restrict IAM principals in accounts from making changes to specific IAM roles created in an AWS account. This could be a common administrative IAM role created in all accounts in your organization. |
| Deny critical IAM user actions | Restrict creation and modification of IAM user profiles, IAM user access keys and account password policy to a privileged role. Require your human users to use temporary credentials when accessing AWS. You can use an identity provider for your human users to provide federated access to AWS accounts by assuming roles, which provide temporary credentials rather than creating IAM users with long term credentials.Consider protecting your Administrator role using a policy similar to Deny modifications to specific IAM roles. |
| Deny member accounts from leaving your AWS organization | Restrict users or roles in any affected account from leaving AWS Organizations. |
| Deny billing modification action | Restrict IAM principals in accounts from making changes to the payment method and tax preferences, changing challenge questions, changing contact information. |
| Prevent any VPC that doesn't already have internet access from getting it | Deny users or roles in any affected account from changing the configuration of your Amazon EC2 virtual private clouds (VPCs) to grant them direct access to the internet. It doesn't block existing direct access or any access that routes through your on-premises network environment.Note: Existing VPCs that have internet access retain their internet access. |
| Deny Amazon Virtual Private Network (VPN) connections | Restrict creation, modification or deletion actions on Virtual Private Network (VPN) connections (Site-to-Site VPN and Client VPN) to an Amazon Virtual Private Cloud (VPC). |
| Deny unwarranted IAM Federation creation and modification | Restrict the creation of new and modification of existing IAM federation, this policy is usually used in conjunction with Deny critical IAM user actions to avoid unauthorized users from creating alternative access routes to AWS Accounts. |