Service Control Policies Disabled

• Query id: 5ba6229c-8057-433e-91d0-21cf13569ca9
• Query name: Service Control Policies Disabled
• Platform: Terraform
• Severity: Medium
• Category: Insecure Configurations
• CWE: 284
• URL: Github

Description

Check if the Amazon Organizations ensure that all features are enabled to achieve full control over the use of AWS services and actions across multiple AWS accounts using Service Control Policies (SCPs).
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file

resource "aws_organizations_organization" "positive1" {
  aws_service_access_principals = [
    "cloudtrail.amazonaws.com",
    "config.amazonaws.com",
  ]

  feature_set = "CONSOLIDATED_BILLING"
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file

resource "aws_organizations_organization" "negative1" {
  aws_service_access_principals = [
    "cloudtrail.amazonaws.com",
    "config.amazonaws.com",
  ]

  feature_set = "ALL"
}