How to import existing AWS Organizations SCPs and RCPs to CloudFormation

Many AWS Organizations customers begin by creating and manually applying service control policies (SCPs) and resource control policies (RCPs) through the AWS Management Console or AWS Command Line Interface (AWS CLI) when they first set up their environments. However, as the organization grows and the number of policies increases, this manual approach can become cumbersome. It can result in limited visibility into all implemented SCPs and RCPs, the targets they’re attached to (such as accounts, organizational units [OUs], or nested OUs), and the ability to manage updates effectively. Without clear visibility and proper access controls, it becomes challenging to track who’s making changes and how they are being made.

Importing existing SCPs and RCPs into AWS CloudFormation can help streamline the management of your policies by enabling history tracking, policy validation through CloudFormation Hooks, and rollback capabilities. You can also sync stacks with source code stored in a Git repository with Git sync. With Git sync, you can use pull requests and version tracking to configure, deploy, and update your CloudFormation stacks from a centralized location. When you commit changes to the template or the deployment file, CloudFormation automatically updates the stack.

In this post, I provide a solution to import existing SCPs and RCPs into AWS CloudFormation templates using the CloudFormation infrastructure as code generator (IaC generator). By using the IaC generator, you can automate the management of your SCPs and RCPs at scale.

Important: Only existing policies are brought into CloudFormation; policies are not recreated.

Solution overview

The solution in this post includes a command line tool for discovering SCPs and RCPs in your organization and automating policy import into CloudFormation templates. The following figure shows the end-to-end flow:

Figure 1: Solution overview

The end-to-end flow shown in the preceding figure includes:

1. Run the tool: The tool automates the following steps and can be run in the management account or delegated administrator account.
   1. Identify SCPs and RCPs in the organization: The tool begins by making API calls to the Organizations service to retrieve the policies in your environment. It then provides a count of the total number of SCPs and RCPs present.
   2. Identify AWS Control Tower SCPs and RCPs and policies without targets:
      1. AWS Control Tower SCPs and RCPs: The tool checks for SCPs and RCPs created by AWS Control Tower and lists them in the output for your review.
         • SCPs are identified by the aws-guardrails- prefix in their policy names.
         • RCPs are identified by the AWSControlTower-Controls- prefix in their policy names.
      2. Policies with no targets: The tool also identifies SCPs and RCPs that aren’t attached to an organizational unit (OU), account, or root and lists them. These policies might be redundant or need reassignment.
   3. CloudFormation IaC generator scan: At this stage, you will be prompted to confirm whether you want to import the policies to the CloudFormation templates using CloudFormation resource scan. If you select yes, the tool will initiate a CloudFormation resource scan using IaC generator to get details about the policies including policy name, targets, policy tags, and so on.
   4. Create template from scanned policy resources: The tool generates CloudFormation template with the policy resources. The template will include the policies without targets (if any).
2. Review process: After the template is generated, it’s recommended that you preview the template using IaC generator from the CloudFormation console. We recommend viewing the template resource section to verify and adjust the generated templates as needed (step 11 of the solution deployment).
3. Create CloudFormation stacks with the generated templates: After reviewing the templates, import them into CloudFormation stacks for deployment. It’s important to note that only existing policies are brought into CloudFormation—policies aren’t recreated. The templates reflect the current policies and policy attributes.

Consideration before implementing the solution

There are some considerations that you need to keep in mind before implementing the solution.

• If you have enabled the AWS Organizations policy management delegation, you should run this solution from the delegated administrator account. Otherwise, you can run the solution using the management account.
  

  Note: Delegating management of organizations policies to a delegated administrator member account is recommended best practice.

• AWS Control Tower SCPs and RCPs (with or without targets) won’t be imported to the CloudFormation templates because they should be managed using AWS Control Tower. Changes made to AWS Control Tower resources outside of AWS Control Tower can cause drift and affect AWS Control Tower functionality in unpredictable ways.
• FullAWSAccess SCP and RCPFullAWSAccess RCP are AWS managed policies that won’t be imported to CloudFormation because CloudFormation stacks do not allow importing AWS managed resources.
• You might see multiple CloudFormation templates created if you exceed the CloudFormation template size quotas. To help ensure smooth creation, the tool is designed to automatically split the content into multiple templates if necessary, allowing you to stay within the quotas while still accommodating the imported content.
• Note that the generated templates have the following attributes set by default.
  • Deletion policy: Set to Retain. This enables persisting the policies even when their related stack is deleted.
  • Update Replace policy: Set to Delete. This enables deletion of the physical ID associated with the policy when the policy is updated.

Solution deployment

Now that you understand the solution and know the considerations to keep in mind, you’re ready to deploy the solution.

1. Clone the solution repository.

   git clone http://github.com/aws-samples/sample-tool-for-importing-existing-AWS-SCPs-and-RCPs
   

2. Navigate to the directory of the cloned repository.

   cd sample-tool-for-importing-existing-AWS-SCPs-and-RCPs/
   

3. Install the solution (Python 3.10+ is supported)

   pip install .
   

4. If you want to use a particular AWS Identity and Access Management (IAM) principal to run this tool, create a profile in ~./aws/config using an IAM principal from your AWS Organizations management account. If you have delegated policy management to a member account, make sure that you use the IAM principal from the delegated administrator account. 
   

   Note: The IAM principal will need to have the following permissions to be able to successfully run the tool.

   {
       "Version": "2012-10-17",
       "Statement": [
           {
               "Sid": "VisualEditor0",
               "Effect": "Allow",
               "Action": [
                   "organizations:Describe*",
                   "organizations:List*",
                   "cloudformation:Describe*",
                   "cloudformation:Detect*",
                   "cloudformation:Estimate*",
                   "cloudformation:Get*",
                   "cloudformation:List*",
                   "cloudformation:CreateGeneratedTemplate",
                   "cloudformation:StartResourceScan",
                   "cloudformation:UpdateGeneratedTemplate",
                   "cloudformation:CreateStack",
                   "cloudformation:DeleteStack",
                   "cloudformation:UpdateStack",
                   "cloudformation:DeleteGeneratedTemplate"
               ],
               "Resource": "*"
           }
       ]
   }
   

5. You can run the tool specifying a profile name as a command line argument. Use the following command, replacing <profile_name> with the name of the profile you created in step 4. If you do not specify a profile, the default profile from the file ~./aws/config will be used.

   policy-importer --profile <profile_name>
   

6. After the preceding command is executed, you will see an output displaying the total number of SCPs and RCPs found in the organization. The output will also list AWS Control Tower managed policies as INFO, in addition to policies without targets as a WARNING. At this point, you can enter Yes to proceed with scanning to import the policies, or enter No if you want to exit.
   

   Note: If policies without targets are detected, we recommend stopping at this point. Either delete the policies without targets or assign appropriate targets to them. You can then rerun the tool from step 5. If you proceed without addressing the policies without targets, be aware that these policies will also be included in the CloudFormation template.

   

   Figure 2: Terminal view with policies identified in the organization

7. If you enter Yes, the CloudFormation IaC resource scan will begin immediately. You will see the resource scan ID HAQM Resource Name (ARN) displayed.
   

   Note: A scan can take up to 10 minutes for every 1,000 resources.

   

   Figure 3: Terminal view with AWS CloudFormation resource scan details

8. You can also review the scan progress from the IaC generator page of the CloudFormation console as shown in the following figure. To get to the IaC generator page, go to the CloudFormation console and choose IaC generator from the navigation pane.
   
   

   Figure 4: View the scan summary in the CloudFormation console to track progress

9. Upon completion of the scan, the template generation process will be initiated.
   
   

   Figure 5: Terminal view showing CloudFormation template being created

10. After the template creation is finished, sign in to the AWS CloudFormation IaC console. Choose the Templates tab to review the generated templates and verify that they align with your requirements.
    
    

    Figure 6: View CloudFormation templates in the console

11. You can review the policies added to a template by selecting a template name.
    
    

    Figure 7: Review policies included in the template

12. When satisfied, you can proceed to import the templates into CloudFormation stacks for deployment by selecting Import to stack.
    
    

    Figure 8: Import a template into the CloudFormation stack

13. Follow the prompts to create a stack.
    
    

    Figure 9: AWS CloudFormation stack example

14. The tool automatically creates a folder named Policies in your current directory and downloads the generated templates.
    

    Note: If you encounter errors, check the recommended solutions for common issues.

Recommended next steps

As shown in the following figure, there are two recommended next steps.

Figure 10: Solution overview including recommended next steps

After the existing policies are imported into a CloudFormation stack, we recommend storing your CloudFormation templates in a private Git repository. You can use the Policies folder that was automatically created by the tool in the current local directory with the generated templates downloaded and set up a continuous integration and delivery (CI/CD) pipeline to efficiently manage the imported policies.

By using a Git repository, you can use version control features like pull requests, branch management, and history tracking. This approach allows your team to efficiently review, update, and deploy policies with better collaboration and control. You can also create a CI/CD pipeline to automate the deployment of changes to your CloudFormation stacks, helping to ensure that updates are consistent and reliable.

We also recommend incorporating CloudFormation Hooks in your environment. CloudFormation Hooks can help validate policies (and other resources) against best practices, to help ensure that they adhere to the correct syntax, follow security best practices, and minimize potential vulnerabilities.

Related resources:

• Syncing stacks with Git source code
• Blog: Validate IAM policies in CloudFormation templates using IAM Access Analyzer
• Demonstration: Validate your IAM policies with AWS CloudFormation hooks

Conclusion

Importing existing AWS Organizations service control policies (SCPs) and resource control policies (RCPs) into CloudFormation provides an efficient and scalable approach to managing and automating your AWS governance. After they’ve been imported, you can manage and update policies directly in CloudFormation, to help ensure consistency and version control across your organization. The tool also creates a Policies folder in your current directory, storing downloaded templates for use as a central repository and integration with a CI/CD pipeline.

By using CloudFormation Hooks, you can further improve your policy management by validating SCPs and RCPs against best practices and policy grammar. This approach centralizes your policy updates, making governance more automated and efficient while reducing the risk of misconfiguration.