SCP should restrict root user actions

iam
Esta página aún no está disponible en español. Estamos trabajando en su traducción.
Si tienes alguna pregunta o comentario sobre nuestro actual proyecto de traducción, no dudes en ponerte en contacto con nosotros.

Description

A Service Control Policy (SCP) should be applied at the organization level to deny all actions performed by the root user. The root user has unrestricted access to all resources and should not be used for day-to-day activities. An SCP with an explicit deny for the root principal (arn:aws:iam::*:root) enforces this restriction across all member accounts.

This rule also flags SCPs that use NotAction with a root principal condition. Using NotAction instead of Action: "*" exempts specific actions from the root deny, creating a gap that could be exploited if the corresponding explicit deny is ever removed.

Note: SCPs do not apply to the management account. This rule verifies that at least one SCP exists with a deny statement targeting the root user principal, using Action (not NotAction).

Remediation

Create an SCP that denies all actions (Action: "*") when the principal is the root user and attach it to the organization root. Avoid using NotAction for root restriction policies. Refer to the SCP syntax documentation and the AWS Organizations best practices for guidance.