AWS Service Control Policies

Audience: Cloud Security Engineers and Platform Administrators.

Purpose: Create, test, and deploy AWS Service Control Policies via Kion.

Overview

Service Control Policies (SCPs) are organization-level policies that define maximum permissions for member accounts. SCPs are managed through Kion using Terraform.

Creating an SCP

Step 1: Create Policy JSON

In the it-ae-svc-kion-config repo, create a branch from dev
Create a new .json file in /compliance/aws_scps/:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": ["<action-to-deny>"],
      "Resource": "*"
    }
  ]
}

Step 2: Create Terraform Resource

Create a new .tf file in /compliance:

resource "kion_service_control_policy" "<scp_name>" {
  name        = "<Descriptive Name>"
  description = "<Description of what the SCP does>"
  policy      = file("${path.module}/aws_scps/<filename>.json")
  
  owner_user_groups {
    id = data.kion_user_group.platform_admins.list[0].id
  }
}

Step 3: Create Cloud Rule

In tamu_cloud_rules.tf, add a new cloud rule:

resource "kion_cloud_rule" "<rule_name>" {
  name        = "<Rule Name>"
  description = "<Description>"
  
  service_control_policies {
    id = kion_service_control_policy.<scp_name>.id
  }
  
  # NOTE: Do NOT add ous {} block until ready for production
}

Testing an SCP

Step 1: Deploy to Dev

Create a PR to merge your branch into dev
This applies the SCP to the kion-dev environment

Step 2: Apply to Test Project

In Kion, navigate to the test project
Go to Cloud management tab → Cloud rules
Click the three-dot menu → Add existing cloud rule
Select your new cloud rule

Step 3: Verify

Federate into the test AWS account
Attempt the action the SCP should prohibit
Verify the action is blocked

Step 4: Check AWS Organizations

Navigate to AWS Organizations → Policies → Service control policies
Select your SCP → Targets
Verify the policy is attached correctly

Deploying to Production

Organization-Wide Deployment

Create a PR to merge dev into main
If applying to all accounts, add the ous {} block:

resource "kion_cloud_rule" "<rule_name>" {
  name = "<Rule Name>"
  
  service_control_policies {
    id = kion_service_control_policy.<scp_name>.id
  }
  
  ous {
    id = <root_ou_id>  # "TAMU" root OU
  }
}

Quick Reference

Stage	Branch	Environment
Development	Feature branch	Local testing
Testing	`dev`	kion-dev
Production	`main`	kion.cloud.tamu.edu

Overview​

Creating an SCP​

Step 1: Create Policy JSON​

Step 2: Create Terraform Resource​

Step 3: Create Cloud Rule​

Testing an SCP​

Step 1: Deploy to Dev​

Step 2: Apply to Test Project​

Step 3: Verify​

Step 4: Check AWS Organizations​

Deploying to Production​

Organization-Wide Deployment​

Quick Reference​