Recent content

The foundations of a secure agentic architecture

The foundations of a secure agentic architecture

How to secure the new generation of EUD

How to secure the new generation of EUD

AI browsers, a risky innovation

AI browsers, a risky innovation

SAAS security starts with you

SAAS security starts with you

Popular topics

CSA Framework Responsability Model SAAS SSPM agentAI agentic agenticAI ai architecture aws beginner browser cloud crypto cybersecurity data genai guardrail iam innovation introduction keys kms landingzone mcp multi-cloud report security strategy vibe coding
aws cloud guardrail security

Track the deployment of your SCPs

Deploying SCPs in AWS can be a source of unwanted blockages. Track the effects of your SCPs with these metrics.

Cédric Thibault
Cédric Thibault
Track the deployment of your SCPs
Photo generated by ChatGPT

TL;DR

Applying SCPs in a complex AWS environment can prove to be more complicated than expected. Indeed, unlike Azure, it is not possible to apply these SCPs in Audit mode. They are immediately active and potentially a source of blockages. Therefore, it is essential to closely monitor their deployment, for example using CloudWatch with the help of this OpenSource project Safer-scps.

Introduction

AWS Service Control Policies (SCP) are a permissions management tool within AWS Organizations, allowing companies to finely control the actions that can be performed in the accounts under an organization. SCPs act as an additional restriction layer that applies to users, roles, and services within AWS accounts, even if they have permissions granted via IAM (Identity and Access Management). SCPs allow platform administrators to enforce global security rules, preventing, for example, accounts from using certain services or creating specific resources, independently of individual IAM permissions. These SCPs can be applied either at the root of the organization, on an OU, or directly on an account. Documentation on SCPs

To monitor the action of SCPs in production, the simplest way is to check what is happening in your CloudTrail logs, in order to detect the appearance of potential Denied Access. For this, the Safer-scps project proposes to deploy EventBridge rules and CloudWatch log groups and metrics to facilitate the creation of dashboards in CloudWatch. Let’s look at its command-line deployment using the AWS CLI.

CloudFormation Deployment

After cloning the repository to your computer, use these commands:

aws cloudformation create-stack --stack-name safer-scps --template-body file://bus.yml --parameters ParameterKey=OrgId,ParameterValue=YOURORGIDHERE

To find the value of the output parameter EventBusArn, use this command:

aws cloudformation describe-stacks --stack-name safer-scps

Finally, all you have to do is launch the second stack:

aws cloudformation create-stack --stack-name rules 
--template-body file://rules.yml 
--parameters ParameterKey=EventBusArn,
ParameterValue=arn:aws:events:ca-central-1:YOURACCOUNTID:event-bus/scp-errors-event-bus
--capabilities CAPABILITY_NAMED_IAM

```

Using CloudWatch

You now have 2 options in CloudWatch. You can either monitor your logs directly by checking the Log Group /aws/events/scp-error-events or create a dashboard using the Log Group.

Track the deployment of your SCPs
Older post

Stop Exposing Public S3 Buckets (at scale)

Data exposure stored in S3 buckets remains a hot topic despite AWS measures. Let's see how to deal with it for good.

Newer post

Organizing your landing zone

Setting up a landing zone is a prerequisite for the secure evolution of your cloud consumption.

Track the deployment of your SCPs

You may also like

See all aws
The responsibility of security in the Cloud
Cédric Thibault

The responsibility of security in the Cloud

The Right Strategies for Implementing AI Agents
Cédric Thibault

The Right Strategies for Implementing AI Agents

2025 Status Report on Cloud Threats and Strategies
Cédric Thibault

2025 Status Report on Cloud Threats and Strategies

Data Encryption in AWS
Cédric Thibault

Data Encryption in AWS