AWS Resource Control Policies (RCPs)
Introduction to Resource Control Policies (RCPs) with examples
Published Dec 16, 2024
Resource Control Policies (RCPs) are a powerful tool within AWS Organizations that help you centrally manage resource permissions across your entire organization. They allow you to set maximum available permissions for resources in your organization. For example, an RCP could ensure that no one outside your AWS Organization can access your S3 buckets. If someone within your organization created an S3 bucket policy to make a bucket public, the RCP would override it, preventing the bucket from being publicly accessible.
As of now (December 2024) RCPs can be applied to the following AWS services:
- Amazon S3
- AWS Security Token Service
- AWS Key Management Service
- Amazon SQS
- AWS Secrets Manager
The policy ensure that S3 buckets are only accessible by principles within your AWS Organization. If an S3 bucket policy was added to make the S3 bucket public, the RCP would prevent the bucket from being publicly accessible.
The policy ensure that access to resources is restricted to encrypted connections over HTTPS. This helps prevent potential attackers from intercepting or manipulating network traffic.
IAM roles in your accounts can only be assumed by principals within your organization or approved third-party vendors. If an IAM Role with a policy is made publicly assumable, it will still be restricted to access only from trusted accounts.
Resource Control Policies (RCPs) are a very useful tool for establishing guardrails across all resources within an AWS Organization. Similar to service control policies (SCPs) it is crucial to thoroughly test the policy before deploying them organization wide level to avoid unintended disruptions.