Service Control Policy example: Deny access to AWS resources for the AWS account root user

It's generally a best practice to not use the root user to do your tasks in your AWS account. Instead, you should create an IAM admin user and use that to do administrative tasks.

Since the root user has full access to all your resources and billing information you should further protect it with the following steps:

• Enable AWS multi-factor authentication (MFA)
• Delete the access keys from the Security credentials page
• Setting up a strong password

As an additional layer of protection, you can set up a guardrail in the form of a Service Control Policy to deny access to AWS resources from the root user.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Condition": {
        "StringLike": {
          "aws:PrincipalArn": "arn:aws:iam::*:root"
        }
      },
      "Action": "*",
      "Resource": "*",
      "Effect": "Deny",
      "Sid": "DenyRootUser"
    }
  ]
}

How to create the AWS Service Control Policy

Log in to the AWS console and then go to the Service control policies tab under the AWS Organizations service where you can create the new policy. Note: make sure to have AWS Organizations enabled.

Learn more about AWS Service Control Policies

If you are in a position where you have responsibility for the AWS Cloud infrastructure, then have a look at The complete guide to AWS Service Control Policies.

---

Originally posted on Towards the Cloud

If you liked this post, then you can subscribe to my newsletter