SCP should restrict marketplace subscriptions
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Description
A Service Control Policy (SCP) should restrict the ability to subscribe to or create agreements in the AWS Marketplace. Unrestricted marketplace access allows any account member to procure third-party software, incurring costs and potentially introducing unvetted software into the environment. Limiting marketplace actions by SCP ensures procurement follows an approval process.
This rule also flags SCPs that use NotAction to exempt marketplace actions from a deny statement. A NotAction-based exemption creates a gap that could be exploited if the corresponding explicit deny is ever removed.
Create an SCP that explicitly denies marketplace subscription actions using Action (not NotAction) and attach it to the organization root. Remove any NotAction-based deny statements that exempt marketplace actions. Refer to the SCP syntax documentation for guidance.
