3.2. Advanced IAM: Condition Keys and Service Control Policies (SCPs) for Enterprise Security

Level Up Your AWS Security Game: Mastering IAM Condition Keys and Service Control Policies (SCPs)

So, you’ve got the basics of AWS Identity and Access Management (IAM) down – users, groups, roles, and policies. That’s great! But in a large enterprise, you need more granular control over who can do what, and where and how they can do it. That’s where advanced features like IAM Condition Keys and Service Control Policies (SCPs) come into play.

Think of them as the ultimate security guardrails for your AWS environment, ensuring everyone stays within their designated lane. Let’s break them down in simple terms:

1. IAM Condition Keys: Adding Nuance to Permissions

Imagine you have a policy allowing users to create EC2 instances. But what if you want to restrict this ability to only instances of a specific size (e.g., t2.micro) or from a specific region (e.g., us-east-1)? That’s where condition keys come in handy.

What are IAM Condition Keys?

IAM condition keys are essentially if-then statements added to your IAM policies. They allow you to specify conditions that must be met for the policy to be in effect. Think of it like this:

• IF the condition is true, THEN the permission is granted.
• IF the condition is false, THEN the permission is denied (or the policy doesn’t apply).

How do they work?

Condition keys compare the values in the policy against the context of the AWS request being made. This context includes information like:

• The AWS Service: (e.g., ec2)
• The action being performed: (e.g., ec2:RunInstances)
• The resources involved: (e.g., the EC2 instance being created)
• The user making the request: (e.g., their username or IAM role)
• The source IP address: (e.g., the network the request is coming from)

Example: Let’s say we want to allow users to create S3 buckets, but only if the bucket name starts with “production-“. Here’s how the policy would look:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowCreateBucketsWithPrefix",
            "Effect": "Allow",
            "Action": "s3:CreateBucket",
            "Resource": "arn:aws:s3:::*",
            "Condition": {
                "StringLike": {
                    "s3:BucketName": "production-*"
                }
            }
        }
    ]
}

Explanation:

• s3:BucketName: This is the condition key we’re using. It refers to the name of the S3 bucket being created.
• StringLike: This is the operator we’re using for the comparison. It means “match if the string is like this pattern”.
• "production-*": This is the value we’re comparing against. The * is a wildcard, meaning any characters can follow “production-“.

So, this policy allows users to create S3 buckets ONLY IF the bucket name starts with “production-“. Trying to create a bucket named “test-bucket” would be denied.

Common Condition Keys:

• aws:username: The username of the IAM user.
• aws:userid: The unique ID of the IAM user.
• aws:SourceIp: The IP address making the request. Useful for restricting access from specific networks.
• aws:CurrentTime: The current date and time. Useful for granting temporary access.
• ec2:InstanceType: The type of EC2 instance.
• s3:ExistingObjectTag/<tag-key>: Condition based on S3 object tags.

Benefits of Condition Keys:

• Granular Control: Fine-tune permissions based on specific conditions.
• Security: Enforce security best practices (e.g., only allow creating instances in a specific region).
• Compliance: Meet regulatory requirements by restricting actions based on specific conditions.

2. Service Control Policies (SCPs): Governing Your AWS Organizations

Now, let’s talk about Service Control Policies (SCPs). SCPs take your security to the organizational level, letting you centrally manage permissions for all AWS accounts within your AWS Organizations.

What are Service Control Policies (SCPs)?

SCPs are JSON policies that define the maximum permissions allowed within an AWS account. Think of them as permission fences that apply to all IAM users, roles, and even the root user within the account. They are applied at the Organizational Unit (OU) or Account level in AWS Organizations.

Important Note: SCPs do not grant permissions. They restrict them. Even if an IAM user has a policy granting them permission to do something, if the SCP attached to their account or OU denies that action, the request will be denied.

How do they work?

SCPs work by creating a “security perimeter” around your accounts. They can be used to:

• Deny access to specific services: For example, you might prevent accounts from using certain AWS services that are not approved.
• Enforce region restrictions: Ensure resources are only provisioned in allowed regions.
• Restrict actions based on tags: For example, only allow creating EC2 instances with specific tags.

Example: Let’s say you want to prevent all accounts in a specific OU from creating EC2 instances in the us-west-2 region. Here’s the SCP you would attach to that OU:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DenyEC2CreationInUSWest2",
            "Effect": "Deny",
            "Action": "ec2:RunInstances",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:RequestedRegion": "us-west-2"
                }
            }
        }
    ]
}

Explanation:

• Effect": "Deny": This indicates that the policy is denying permission.
• Action": "ec2:RunInstances": This specifies the action being denied: creating EC2 instances.
• aws:RequestedRegion": "us-west-2": This condition key checks the region where the user is trying to create the instance. If it’s us-west-2, the request is denied.

Benefits of SCPs:

• Centralized Security Management: Manage security across multiple AWS accounts from a single point.
• Guardrails: Prevent accidental misconfigurations and enforce security best practices.
• Compliance: Meet regulatory requirements by restricting actions and enforcing policies.
• Account Isolation: Limit the blast radius of security incidents by containing them within specific accounts.

Key Differences: Condition Keys vs. SCPs

Feature	IAM Condition Keys	Service Control Policies (SCPs)
Scope	Within a single IAM policy	Across all accounts in an AWS Organization
Function	Fine-grained control within a policy	Sets the maximum permissions allowed in an account
Effect	Allows or denies access based on conditions	Always denies access if conditions are met
Attachment	Attached to IAM policies (users, roles)	Attached to OUs or accounts in AWS Organizations

Bringing It All Together: A Layered Security Approach

The best security strategy combines both condition keys and SCPs.

• SCPs set the high-level boundaries and enforce mandatory restrictions across your organization.
• Condition keys provide fine-grained control within individual IAM policies, allowing you to tailor permissions to specific needs while staying within the SCP boundaries.

Getting Started:

1. Understand your business requirements: What are your security and compliance goals?
2. Plan your AWS Organizations structure: Organize your accounts into OUs based on your security needs.
3. Start with a least-privilege approach: Grant only the necessary permissions and gradually add restrictions with condition keys and SCPs.
4. Test thoroughly: Before deploying policies to production, test them in a development or staging environment to ensure they work as expected.
5. Monitor and audit: Regularly review your policies and audit logs to identify potential issues and improve your security posture.

By mastering IAM condition keys and SCPs, you can significantly enhance the security and governance of your AWS environment, giving you peace of mind and ensuring your enterprise stays secure in the cloud. Good luck!