Auto-sync: 2026-04-29 00:02
This commit is contained in:
42
wiki/concepts/SCP-Security-Control-Policy.md
Normal file
42
wiki/concepts/SCP-Security-Control-Policy.md
Normal file
@@ -0,0 +1,42 @@
|
||||
---
|
||||
title: "SCP (Security Control Policy)"
|
||||
type: concept
|
||||
tags: ["AWS", "Security", "Landing-Zone", "Tagging", "OU"]
|
||||
sources: ["ctp-topic-10-aws-landing-zone-lz-data-collection-tagging-related-security"]
|
||||
last_updated: 2026-04-28
|
||||
---
|
||||
|
||||
## Definition
|
||||
SCP(Security Control Policy)是 AWS Organizations 中的一种策略类型,通过「显式拒绝」(deny)逻辑强制执行组织范围内的安全与合规规则。与 IAM 策略不同,SCP 作用于组织单元(OU)或账户级别,控制谁可以执行什么操作,而不是授予权限。
|
||||
|
||||
## Core Mechanism
|
||||
- **基于标签的 SCP**:拒绝资源在不符合预期标签值的情况下被创建(如:拒绝在特定 OU 中创建没有 `Environment: Production` 标签的 EC2 实例)
|
||||
- **OU 分层执行**:SCP 在 OU 层级自上而下继承,高层级 OU 的拒绝策略优先级最高
|
||||
- **防止标签篡改**:阻止普通用户通过修改标签(如从 `Team: ADM` 改为 `Team: ITOM`)绕过安全审计或访问控制
|
||||
|
||||
## In AWS Landing Zone Context
|
||||
在 [[AWS-Landing-Zone]] 架构中,SCP 是 Landing Zone 治理的关键组件:
|
||||
- 与 [[Checkpoint-Firewall]] 的标签驱动策略联动:SCPs 确保只有正确标记的资源进入云环境,Checkpoint 基于标签实施网络层访问控制
|
||||
- SCP 是「防护栏」(Guardrails)的核心实现手段
|
||||
- 补充 AWS IAM 的「授予权限」模型,提供强制拒绝能力
|
||||
|
||||
## Example Use Case
|
||||
```
|
||||
# 拒绝在没有 Owner 标签的情况下创建 EC2
|
||||
{
|
||||
"Effect": "Deny",
|
||||
"Action": "ec2:RunInstances",
|
||||
"Resource": "arn:aws:ec2:*:*:instance/*",
|
||||
"Condition": {
|
||||
"Null": {
|
||||
"aws:RequestTag/Owner": "true"
|
||||
}
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
## Connections
|
||||
- [[AWS-Landing-Zone]] — SCP 是 LZ 治理的核心工具
|
||||
- [[Checkpoint-Firewall]] — SCP + Checkpoint 构成标签驱动的端到端安全体系
|
||||
- [[ctp-topic-10-aws-landing-zone-lz-data-collection-tagging-related-security]]
|
||||
- [[ctp-topic-28-aws-tag-validation-tool]] — SCP 强制执行标签,Tag Validation Tool 审计存量资源
|
||||
Reference in New Issue
Block a user