it’s possible to enforce that all accounts within an AWS organization can only create encrypted EBS volumes and RDS instances. You can restrict access of IAM users in member accounts by applying the below SCP. We can confirm that it is working when the EBS volume and the RDS is not encrypted, the request will be denied.

To know how to create an SCP, please see – https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_create.html

Attach an SCP – https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_attach.html

Please note that SCPs only apply to the member accounts and not to the master/management account. To know the effect on permissions using SCP, please see this doc [1].

SCP we tested in production

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "ec2:CreateVolume",
      "Resource": "*",
      "Condition": {
        "Bool": {
          "ec2:Encrypted": "false"
        }
      }
    },
    {
      "Sid": "PreventEc2MountUnencryptedVolume",
      "Effect": "Deny",
      "Action": "ec2:RunInstances",
      "Resource": "arn:aws:ec2:*:*:volume/*",
      "Condition": {
        "Bool": {
          "ec2:Encrypted": "false"
        }
      }
    },
    {
      "Sid": "PreventRDSLaunchWithoutEncryption",
      "Effect": "Deny",
      "Action": "rds:CreateDBCluster",
      "Resource": "*",
      "Condition": {
        "Bool": {
          "rds:StorageEncrypted": "false"
        }
      }
    }
  ]
}

Should you have any additional questions, please feel free to send email or reach out from contact. We will be glad to assist you further.

–References–
[1] Effect on permissions (SCP) – https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html#scp-effects-on-permissions
[2] Create a member account – https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_create.html
[3] Inviting a member account – https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_invites.html

Leave a Reply

Your email address will not be published.