Preventive control using SCP’s

Question

Hello ,

I just wanted to know for what all the security preventative 
Controls of ec2 service which are high and critical and also SCP’s can be used to prevent them ? Do we have any documentation pages where I  can find all the security controls/best practices related to all aws services which are ec2, s3, EFS etc  which are detective , and preventive controls and also can we use SCP’s to control the preventive and detective controls.

Answer

Hi,

You can find some of the example SCPs for EC2 here:

https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples_ec2.html

Please note that this doesn't have all security controls you are looking out for. Once you have all the preventive controls list ready then explore the options and feasibility of implementing them using SCP and AWS Config and Config Conformance packs:

Conformance packs are a powerful feature in AWS Config that help you manage the configuration compliance of your AWS resources at scale. They bundle together AWS Config rules and optional remediation actions into a single, deployable entity.

https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-EC2.html

Similarly you can find for other services you have mentioned.

Good part is that you don't have to author everything from scratch. Following link has a lot of them from AWSLabs:

https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Operational-Best-Practices-for-EC2.yaml

Hope it helps.

Preventive control using SCP’s

Relevant content