SCP should restrict root user actions

iam
이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Description

A Service Control Policy (SCP) should be applied at the organization level to deny all actions performed by the root user. The root user has unrestricted access to all resources and should not be used for day-to-day activities. An SCP with an explicit deny for the root principal (arn:aws:iam::*:root) enforces this restriction across all member accounts.

This rule also flags SCPs that use NotAction with a root principal condition. Using NotAction instead of Action: "*" exempts specific actions from the root deny, creating a gap that could be exploited if the corresponding explicit deny is ever removed.

Note: SCPs do not apply to the management account. This rule verifies that at least one SCP exists with a deny statement targeting the root user principal, using Action (not NotAction).

Remediation

Create an SCP that denies all actions (Action: "*") when the principal is the root user and attach it to the organization root. Avoid using NotAction for root restriction policies. Refer to the SCP syntax documentation and the AWS Organizations best practices for guidance.