Blog Cloud Security

Implementing AWS Resource Control Policies: Key Features and Benefits

AWS' new Resource Control Policies (RCPs) aim to improve control over resource access. However, organizations should approach implementation with caution.
Dubie Dubendorfer
2 min read
Last updated December 16, 2024
Varonis for AWS

Contents

    AWS recently introduced Resource Control Policies (RCPs), enhancing their tools for access management and cloud security. RCPs allow organizations to centrally enforce data perimeters across their AWS environment, improving control over resource access. 

    However, organizations should approach RCP implementation with caution.

    What are AWS resource control policies? 

    Managing access to multiple resources at scale can be complex. Identifying overexposed resources within a large AWS environment requires considerable manual effort, as does maintaining the remediation of these overexposures.

    RCPs are a new type of authorization policy managed within AWS Organizations. They allow administrators to set maximum available permissions on resources across the entire organization, effectively creating persistent access guardrails.

    RCPs complement the existing Service Control Policies (SCPs) but operate independently, focusing on resource-level access rather than principal-level permissions. 

    Key features and benefits 

    • Centralized management: RCPs can be applied at the root, Organizational Unit (OU), or individual account level, allowing for granular control and consistent policy enforcement across multiple AWS accounts. 
    • Enhanced security: By restricting access to resources at scale, RCPs help establish a controlled data perimeter, reducing the risk of unauthorized access or data breaches. However, use RCPs with caution, as managing multiple RCPs can be difficult as they increase in number. 
    • Supported services: Currently, RCPs support five critical AWS services: Amazon Simple Storage Service (S3), AWS Security Token Service (STS), AWS Key Management Service (KMS), Amazon Simple Queue Service (SQS), and AWS Secrets Manager. They currently do not support RDS, Dynamo DB, other AWS databases, data warehouses, or data lakes. 
    • Cost-effective: There are no additional charges for enabling and using RCPs, making it an accessible security enhancement for organizations of all sizes. 

    Use cases and examples 

    • Preventing public access: RCPs can be used to implement a 'deny-first' model, preventing accidental public exposure of sensitive resources like S3 buckets, while allowing exceptions for intentionally public-facing resources. 
    • Enforcing organizational boundaries: Administrators can create policies that deny access to all identities and services outside their AWS organization, with specific exceptions as needed. 
    • Encryption enforcement: RCPs can ensure that all data stored in S3 buckets is encrypted at rest or in transit, maintaining a high standard of data protection. 

    Implementation and best practices 

    To get started with RCPs, follow these steps: 

    1. Enable the feature in the AWS Organizations console under the "Policies" section 
    2. Create custom RCPs tailored to your organization's security requirements 
    3. Attach RCPs to the desired organizational entities (root, OUs, or accounts) 
    4. Test thoroughly in isolated environments before applying at scale 

    It is important to understand that RCPs, similar to SCPs, serve as permission boundaries and cannot grant additional permissions, they are limited to restricting or denying actions. Maintaining oversight of multiple RCPs is essential to ensure that any permissions that might be restricted are anticipated. 

    Summary 

    Resource Control Policies (RCPs) represent a notable development in AWS's security offerings. By providing a centralized method to control resource access across an entire organization, RCPs address a critical gap in cloud security.

    However, implementing RCPs can present certain challenges. Organizations must ensure that their policies are thoroughly tested in isolated environments to avoid unintended disruptions. Additionally, maintaining oversight of multiple RCPs can be complex and requires careful planning to anticipate and address any restricted permissions. 

    As the AWS ecosystem evolves, further enhancements and broader service support for RCPs are expected, reinforcing their role as an important component of an AWS security strategy. However, organizations should approach RCP implementation with caution.

    Reduce your risk without taking any.

    Having a comprehensive view of your AWS environment's security posture and access permissions, including the scope of RCPs, is crucial to using them effectively. Varonis for AWS provides visibility into these aspects and much more.

    Get started with a free risk assessment. Our assessment takes minutes to set up and delivers immediate value, providing you a clear, risk-based view of the data that matters most and a clear path to automated remediation. 

    What should I do now?

    Below are three ways you can continue your journey to reduce data risk at your company:

    1

    Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.

    2

    See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.

    3

    Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

    Dubie Dubendorfer
    Dubie Dubendorfer Dubie Dubendorfer is a CISSP and AWS-certified IT director with extensive experience in on-premises and cloud IT infrastructure, network security, solutions architecture, and cybersecurity.

    Try Varonis free.

    Get a detailed data risk report based on your company’s data.
    Deploys in minutes.
    Get started View sample

    Keep reading

    Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

    how-to-set-up-aws-iam:-elements,-features,-&-components
    How to Set Up AWS IAM: Elements, Features, & Components
    how-to-set-up-aws-iam:-elements,-features,-&-components
    Meenakshi Kasi
    July 7, 2021
    Amazon Web Services (AWS) Identity and Access Management (IAM) is a web service that helps you securely control access to AWS. In this article, we will learn to plan, setup IAM to control who is authenticated (signed in) and authorized (has permissions) to use these resources.
    the-difference-between-everyone-and-authenticated-users
    The Difference Between Everyone and Authenticated Users
    the-difference-between-everyone-and-authenticated-users
    Rob Sobers
    July 3, 2012
    In order to maintain proper access controls, it’s crucial to understand what every entity on an access control list (ACL) represents, including the implicit identities that are built into a...
    how-to-create-s3-buckets-in-aws-with-cloudformation:-step-by-step-guide
    How to Create S3 Buckets in AWS with CloudFormation: Step-by-Step Guide
    how-to-create-s3-buckets-in-aws-with-cloudformation:-step-by-step-guide
    Shane Waterford
    July 22, 2022
    Use AWS CloudFormation to create resources such as S3 buckets. Infrastructure as code enables a repeatable, reliable deployment process. Learn more here.
    what-is-role-based-access-control-(rbac)?
    What is Role-Based Access Control (RBAC)?
    what-is-role-based-access-control-(rbac)?
    Neeraj Kumar
    November 17, 2021
    Role-Based Access Control (RBAC) is a security paradigm where users are granted access depending on their role in your organization. In this guide, we'll explain what RBAC is, and how to implement it.