Principal-Based Environment Access

Policy Description

What this SCP does

This Service Control Policy (SCP) ensures that only principals with the appropriate environment tag can access resources. This helps enforce environment segregation between production and non-production resources.

By restricting access based on principal tags, this policy creates a clear boundary between production and development environments, ensuring that only properly tagged identities can interact with production resources, which is essential for maintaining security and compliance requirements.

Validation Strategy

How to test this SCP works

To validate this SCP, you need to test with IAM roles that have different environment tags.

Valid test: Create IAM roles with different environment tags (prod vs. dev)
Expected result: Operations succeed when performed by principals tagged with Environment=prod, but fail when performed by principals with any other Environment tag value

For thorough testing, you should create EC2 instance profiles for different roles, launch instances with these profiles, and test various AWS operations from each instance to verify the SCP's effectiveness.

SCP Policy & Validation Scenarios

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "*",
      "Resource": "*",
      "Condition": {
        "StringNotEquals": {
          "aws:PrincipalTag/Environment": "prod"
        }
      }
    }
  ]
}

# Create roles with different environment tags
aws iam create-role \
    --role-name prod-role \
    --assume-role-policy-document file://trust-policy.json \
    --tags Key=Environment,Value=prod

aws iam create-role \
    --role-name dev-role \
    --assume-role-policy-document file://trust-policy.json \
    --tags Key=Environment,Value=dev

# You would need to assume these roles and test access
# Operations should succeed when assumed as prod-role but fail as dev-role

import boto3
import json

# Initialize IAM client
iam_client = boto3.client('iam')

# Create test roles with different environment tags
trust_policy = {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {"Service": "ec2.amazonaws.com"},
      "Action": "sts:AssumeRole"
    }
  ]
}

try:
  # Create role with prod tag
  iam_client.create_role(
    RoleName='prod-role',
    AssumeRolePolicyDocument=json.dumps(trust_policy),
    Tags=[
      {
        'Key': 'Environment',
        'Value': 'prod'
      }
    ]
  )
  print("Created role with prod tag")
  
  # Create role with dev tag
  iam_client.create_role(
    RoleName='dev-role',
    AssumeRolePolicyDocument=json.dumps(trust_policy),
    Tags=[
      {
        'Key': 'Environment',
        'Value': 'dev'
      }
    ]
  )
  print("Created role with dev tag")
  
  # Attach permissions to both roles
  policy_arn = 'arn:aws:iam::aws:policy/ReadOnlyAccess'
  
  iam_client.attach_role_policy(
    RoleName='prod-role',
    PolicyArn=policy_arn
  )
  
  iam_client.attach_role_policy(
    RoleName='dev-role',
    PolicyArn=policy_arn
  )
  
  print("Note: To fully test this SCP, you'd need to:")
  print("1. Create EC2 instance profiles for both roles")
  print("2. Launch EC2 instances with each profile")
  print("3. Test operations from each instance")
  print("Operations should succeed from the prod instance but fail from the dev instance")
  
  # Clean up
  iam_client.detach_role_policy(
    RoleName='prod-role',
    PolicyArn=policy_arn
  )
  iam_client.detach_role_policy(
    RoleName='dev-role',
    PolicyArn=policy_arn
  )
  iam_client.delete_role(RoleName='prod-role')
  iam_client.delete_role(RoleName='dev-role')
  print("Cleaned up test roles")
  
except Exception as e:
  print(f"Error in test setup: {e}")