Service control policies disabled

이 제품은 선택한 Datadog 사이트에서 지원되지 않습니다. ().
이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Metadata

Id: 5ba6229c-8057-433e-91d0-21cf13569ca9

Cloud Provider: AWS

Platform: Terraform

Severity: Medium

Category: Insecure Configurations

Learn More

Description

This check verifies whether the Amazon Organizations configuration has the feature_set attribute set to "ALL", which enables all features, including the use of Service Control Policies (SCPs). If feature_set is set only to "CONSOLIDATED_BILLING", as in the following example, then organizations cannot use SCPs for centralized governance, making it difficult to enforce security and compliance policies across AWS accounts:

resource "aws_organizations_organization" "example" {
  feature_set = "CONSOLIDATED_BILLING"
}

This leaves accounts within the organization more vulnerable to misconfigurations and unauthorized access, as critical controls cannot be imposed at the organization level.

Compliant Code Examples

resource "aws_organizations_organization" "negative1" {
  aws_service_access_principals = [
    "cloudtrail.amazonaws.com",
    "config.amazonaws.com",
  ]

  feature_set = "ALL"
}

Non-Compliant Code Examples

resource "aws_organizations_organization" "positive1" {
  aws_service_access_principals = [
    "cloudtrail.amazonaws.com",
    "config.amazonaws.com",
  ]

  feature_set = "CONSOLIDATED_BILLING"
}