AWS Logo
Menu

AWS Resource Control Policies (RCPs)

Introduction to Resource Control Policies (RCPs) with examples

Published Dec 16, 2024

Introduction to Resource Control Policies (RCPs)

Resource Control Policies (RCPs) are a powerful tool within AWS Organizations that help you centrally manage resource permissions across your entire organization. They allow you to set maximum available permissions for resources in your organization. For example, an RCP could ensure that no one outside your AWS Organization can access your S3 buckets. If someone within your organization created an S3 bucket policy to make a bucket public, the RCP would override it, preventing the bucket from being publicly accessible.
As of now (December 2024) RCPs can be applied to the following AWS services:
  • Amazon S3
  • AWS Security Token Service
  • AWS Key Management Service
  • Amazon SQS
  • AWS Secrets Manager

Examples of Resource Control Policies

To Restrict S3 Access outside of the organization

The policy ensure that S3 buckets are only accessible by principles within your AWS Organization. If an S3 bucket policy was added to make the S3 bucket public, the RCP would prevent the bucket from being publicly accessible.

Access Resources only using HTTPS

The policy ensure that access to resources is restricted to encrypted connections over HTTPS. This helps prevent potential attackers from intercepting or manipulating network traffic.

Assume roles only from your account

IAM roles in your accounts can only be assumed by principals within your organization or approved third-party vendors. If an IAM Role with a policy is made publicly assumable, it will still be restricted to access only from trusted accounts.

Conclusion

Resource Control Policies (RCPs) are a very useful tool for establishing guardrails across all resources within an AWS Organization. Similar to service control policies (SCPs) it is crucial to thoroughly test the policy before deploying them organization wide level to avoid unintended disruptions.
 

Comments