Service control policies disabled

Docs > Plateforme de sécurité Datadog > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > Service control policies disabled

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Metadata

Id: 5ba6229c-8057-433e-91d0-21cf13569ca9

Cloud Provider: AWS

Platform: Terraform

Severity: Medium

Category: Insecure Configurations

Learn More

Provider Reference

Description

This check verifies whether the Amazon Organizations configuration has the feature_set attribute set to "ALL", which enables all features, including the use of Service Control Policies (SCPs). If feature_set is set only to "CONSOLIDATED_BILLING", as in the following example, then organizations cannot use SCPs for centralized governance, making it difficult to enforce security and compliance policies across AWS accounts:

resource "aws_organizations_organization" "example" {
  feature_set = "CONSOLIDATED_BILLING"
}

This leaves accounts within the organization more vulnerable to misconfigurations and unauthorized access, as critical controls cannot be imposed at the organization level.

Compliant Code Examples

resource "aws_organizations_organization" "negative1" {
  aws_service_access_principals = [
    "cloudtrail.amazonaws.com",
    "config.amazonaws.com",
  ]

  feature_set = "ALL"
}

Non-Compliant Code Examples

resource "aws_organizations_organization" "positive1" {
  aws_service_access_principals = [
    "cloudtrail.amazonaws.com",
    "config.amazonaws.com",
  ]

  feature_set = "CONSOLIDATED_BILLING"
}