AWS Control Tower continues to push the boundaries of governance and security in multi-account AWS environments. At re:Invent 2024, AWS introduced a suite of powerful features aimed at enhancing compliance, simplifying operations, and securing AWS resources. In this blog, we’ll explore the highlights, focusing on Service Control Policies (SCPs), Resource Control Policies (RCPs), and Declarative Policies, along with new AWS IAM Identity Center integrations and Control Tower-specific enhancements.
Service Control Policies (SCPs)
SCPs have long been a cornerstone of AWS Organizations, allowing administrators to set permission guardrails across accounts. At re:Invent 2024, AWS reiterated the importance of SCPs as part of a comprehensive security strategy. SCPs enable organizations to define the maximum permissions for AWS Identity and Access Management (IAM) users and roles within an organization, ensuring that even if individual IAM policies grant broader permissions, they cannot exceed those defined in the SCPs. This central control mechanism is vital for maintaining compliance and security across AWS environments.
Resource Control Policies (RCPs)
A groundbreaking addition to AWS Control Tower is the introduction of Resource Control Policies (RCPs). RCPs are designed to establish a data perimeter around AWS resources, providing centralized management over resource access. Unlike SCPs, which govern permissions at the IAM level, RCPs focus on resource-level permissions, allowing organizations to enforce rules such as restricting access to Amazon S3 buckets solely to IAM principals within the organization.
. This capability enhances security by preventing unintended external access to sensitive resources.
Key Features of RCPs:
Centralized Management: RCPs can be applied across all accounts in an organization, ensuring consistent enforcement of access controls.
Service Support: Initially available for services like Amazon S3, AWS KMS, and AWS Secrets Manager, RCPs are expected to expand their coverage over time.
Exemptions: Administrators can configure exemptions for specific principals or resources that do not need to adhere to certain controls, providing flexibility in policy application.
Declarative Policies
Another significant enhancement is the introduction of Declarative Policies within AWS Control Tower. These policies allow for preventive controls that are enforced directly at the service level. This means that as new features or APIs are introduced by AWS services, the specified configurations remain enforced without requiring manual updates.
Declarative Policies provide a robust framework for ensuring compliance and operational consistency across diverse environments.
AWS IAM Identity Center Enhancements
Secure Root User Access for Member Accounts
One of the standout features announced is Secure Root User Access for member accounts in AWS Organizations. This enhancement allows organizations to better secure their root user accounts by enabling more granular access controls and reducing the risk of unauthorized access.
Simplified Identity Propagation
AWS IAM Identity Center now supports a single identity context for propagating user identities across AWS services. This change simplifies application development by allowing developers to call any AWS service using a single IAM role session, enhancing both security and usability.
This feature improves user experience by ensuring that user identities are consistently logged across services, facilitating better auditing and compliance.
Permission Set Search Functionality
Another notable improvement is the introduction of permission set search, which enables administrators to filter permission sets based on their names. This functionality streamlines the management of access across multiple accounts, making it easier to locate and assign appropriate permissions quickly.
Integration within AWS Control Tower
These new policy frameworks—SCPs, RCPs, and Declarative Policies—are intricately linked within AWS Control Tower's governance model. By leveraging these tools together, organizations can achieve a layered security posture that addresses both user permissions and resource access comprehensively.
Additional Features in Control Tower
AWS Control Tower has also introduced several specific features aimed at improving operational efficiency and compliance:
Backup Plans: New prescriptive backup plans allow users to define data backup workflows directly within their landing zones. These plans include predefined rules for retention periods and backup frequency, ensuring consistent data protection across all governed accounts.
Hook Management for Proactive Controls: Enhanced hook management capabilities enable organizations to implement proactive controls that automatically respond to changes in account configurations, helping maintain compliance without manual intervention.
Drift Detection: Control Tower now supports drift detection for both SCPs and RCPs. If any policies are modified outside of Control Tower's governance framework, administrators will be notified and provided with remediation steps.
Organizational Units (OUs): Each Organizational Unit can now contain up to 1,000 AWS accounts, allowing for greater scalability in managing complex organizational structures.
In conclusion, the updates announced at re:Invent 2024 position AWS Control Tower as a powerful tool for organizations looking to enhance their cloud governance framework. By integrating SCPs, RCPs, and Declarative Policies with advanced features like backup plans and proactive controls, AWS is enabling businesses to operate securely and efficiently in an increasingly complex cloud environment.