With service-control-policies, you tell the framework to apply an SCP to a specific account, every account with a specified tag or to an organizational unit.
This tutorial will walk you through how to use the “Applying Service Control Policies” feature.
We will assume you have:
We are going to perform the following steps to “Applying Service Control Policies”:
Here are the steps you need to follow to “Applying Service Control Policies”
When using service-control-policies you will need an IAM role assumable from the account where you have installed this framework.
Within your AWS Organizations management account you should create an AWS CloudFormation stack with the following name:
puppet-organizations-service-control-policies-stack
Using the template of the URL:
https://service-catalog-tools.s3.eu-west-2.amazonaws.com/puppet/latest/servicecatalog-puppet-scp-master.template.yaml
This stack will have an output named PuppetOrgRoleForExpandsArn. Take a note of this Arn as you will need it in the next step.
Once you have created the IAM Role, you need to tell the framework which role you want to use. You do this by creating
an AWS Systems Manager Parameter Store parameter named /servicecatalog-puppet/org-scp-role-arn in the region of the
account where you will install puppet and use as your hub account. You can do this via the console or via the cli.
aws ssm put-parameter --name /servicecatalog-puppet/org-scp-role-arn --type String --value <VALUE-FROM-STEP-ABOVE>
To apply an SCP to a specific account add the following snippet to your manifest file:
service-control-policies:
deny-organizations-leave-organization:
description: "do not allow accounts to leave"
tags:
- Key: Category
Value: Foundational
content:
default: {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"organizations:LeaveOrganization"
],
"Resource": "*"
}
]
}
apply_to:
accounts:
- account_id: "000000000000"
You will need to update the account_id from 000000000000 to the account_id you want to apply the service control policy to.
Please note, you do not need to specify a region in the apply_to section.
To apply an SCP to every account with specified tag add the following snippet to your manifest file:
service-control-policies:
deny-organizations-leave-organization:
description: "do not allow accounts to leave"
tags:
- Key: Category
Value: Foundational
content:
default: {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"organizations:LeaveOrganization"
],
"Resource": "*"
}
]
}
apply_to:
tags:
- tag: type:prod
You will need to update the tag from type:prod to the tag you want to apply the service control policy to.
Please note, you do not need to specify a region in the apply_to section.
To apply an SCP to a specific organizational unit add the following snippet to your manifest file:
service-control-policies:
deny-organizations-leave-organization:
description: "do not allow accounts to leave"
tags:
- Key: Category
Value: Foundational
content:
default: {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"organizations:LeaveOrganization"
],
"Resource": "*"
}
]
}
apply_to:
ous:
- ou: /workloads
You will need to update the ou from /workloads to the path you want to apply the service control policy to.
Alternatively you can use an ou id instead of a path:
service-control-policies:
deny-organizations-leave-organization:
description: "do not allow accounts to leave"
tags:
- Key: Category
Value: Foundational
content:
default: {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"organizations:LeaveOrganization"
],
"Resource": "*"
}
]
}
apply_to:
ous:
- ou: ou-japk-38pz9nbt
You can choose to store you Service Control Policies in Amazon S3 using the following syntax:
service-control-policies:
deny-organizations-leave-organization:
description: "do not allow accounts to leave"
tags:
- Key: Category
Value: Foundational
content:
s3:
bucket: my-s3-scp-store
key: deny-organizations-leave-organization.json
apply_to:
ous:
- ou: /workloads
You have now successfully applied a service control policy!