VIEW RULE IN DATADOG VIEW MISCONFIGURATIONS

Description

A Service Control Policy (SCP) should restrict the ability to subscribe to or create agreements in the AWS Marketplace. Unrestricted marketplace access allows any account member to procure third-party software, incurring costs and potentially introducing unvetted software into the environment. Limiting marketplace actions by SCP ensures procurement follows an approval process.

This rule also flags SCPs that use NotAction to exempt marketplace actions from a deny statement. A NotAction-based exemption creates a gap that could be exploited if the corresponding explicit deny is ever removed.

Remediation

Create an SCP that explicitly denies marketplace subscription actions using Action (not NotAction) and attach it to the organization root. Remove any NotAction-based deny statements that exempt marketplace actions. Refer to the SCP syntax documentation for guidance.