AWS is introducing resource control policies (RCPs) to enable organizations to control the maximum available permissions for their company’s AWS resources.
According to AWS, RCPs can help organizations be more confident that the resources in their user accounts stay within their company’s access control guidelines.
RCPs are similar to service control policies (SCPs), which control the maximum permission limits for users within the organization based on AWS Identity and Access Management roles. However, they do act independently of each other and each have different quotas, AWS explained.
“Along with SCPs, RCPs help you to centrally establish a data perimeter across your AWS environment and prevent unintended access at scale. SCPs and RCPs are independent controls that allow you to achieve a distinct set of security objectives. You can choose to enable only SCPs or RCPs, or use both policy types together to establish a comprehensive security baseline as part of the defense-in-depth security model,” Matheus Guimaraes, senior developer advocate at AWS, wrote in a blog post.
Currently, each organization can create and store up to 1000 RCPs and five RCPs can be attached to the organization root, each OU, and account. RCPs themselves can each contain 5,120 characters. The company recommends testing the impact of RCPs by first attaching them to individual test accounts and then working up to the organization level.
The AWS services that support RCPs at the moment include Amazon S3, AWS Security Token Service, AWS Key Management Service, Amazon SQS, and AWS Secrets Manager.
RCPs only affect resources in member accounts, not management accounts, but they can affect members who are also admins, AWS cautioned.
For a tutorial on how to set up RCPs, visit AWS’s blog post.
