Skip to content

gezza-b/aws-scp-terraform-module

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
example
example
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
locals.tf
locals.tf
 
 
main.tf
main.tf
 
 
outputs.tf
outputs.tf
 
 
variables.tf
variables.tf
 
 

Repository files navigation

AWS SCP Module for Terraform

The module generates a AWS SCP document and individual policy statements can be added by toggling the according variables to true. This module includes only a handful of statements for demo purposes. However, it can be easily extended for production needs.

Included statements are:

  • Deny usage of AWS root account
  • Deny changing the IAM password policy
  • Deny changes to VPCs
  • Deny changes of AWS Config resources
  • Deny changes of AWS CloudTrail resources

Why I find this module useful

The module makes it easier to manage AWS SCP (service control policy) rules at a large scale. SCPs have a size limitation of SCPs, which is 5,120 bytes per SCP. The approach provides a smart way to enable and disable rules for individually generated SCPs. Because modules can be versioned, managing several versions in different environments is also easy. For example, you can test the latest version in a Development or Test environment but have your Production environment on a lower minor release version.

Example for a Service Contol Policy

This example enables all deny statements:

module "scp-prod" {
  source  = "../"
  targets = toset([var.ou_targets.production])
  name    = "production"

  deny_root_account_access     = true
  deny_password_policy_changes = true
  deny_vpn_gateway_changes     = true
  deny_vpc_changes             = true
  deny_config_changes          = true
  deny_cloudtrail_changes      = true
}

Blog Post

https://medium.com/@bachlmayr/efficient-implementation-of-aws-service-control-policies-with-terraform-25d41a3d81ca

Requirements

No requirements.

Providers

Name Version
aws 4.14.0

Modules

No modules.

Resources

Name Type
aws_organizations_policy.scp_document resource
aws_organizations_policy_attachment.scp_attachment resource
aws_iam_policy_document.scp_policy data source

Inputs

Name Description Type Default Required
deny_cloudtrail_changes Deny AWS CloudTrail related changes bool false no
deny_config_changes Deny AWS Config related changes bool false no
deny_password_policy_changes Deny changes to the IAM password policy bool false no
deny_root_account_access Deny usage of AWS account root bool false no
deny_vpc_changes Deny VPC related changes bool false no
deny_vpn_gateway_changes Deny changes to VPN gateways bool false no
name SCP name string n/a yes
targets Lits of OU and account id's to attach SCP set(string) [] no

Outputs

Name Description
scp_document Generated SCP document

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

7 stars

Watchers

1 watching

Forks

4 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages