ControlTower | Rack-based Web Application Server for MacRuby

There is no IAM action

I'm afraid scp's dont offer the flexibility you need, simply because the condition keys you need are not present in the api calls. There is not a policy that says "allow createbucket with the condition that it has encryption enabled".

I've worked in various platform teams for corporates to implement these types of controls and have encountered these limitations many times. Basically there are three strategies:

1. Detective compliance
2. Corrective compliance
3. Preventive compliance

First make sure you have visibility over how stuff is configured. You can use aws config rules for this. There are definitely rules out there that check s3 buckets for encryption settings. Make sure to centralize the results of these rules using a aws config aggregator in your security account. After detection you can manually follow up on detected misconfigurations (or automate this when running at scale).

If you also like to correct mistakes you can use aws config auto remediation actions. Also various open source tools are available to help you with this. An often used one is cloud custodian with the c7n-org plugin. Also many commercial offerimgs exist but are quite expensive.

With scp's or iam policies you can prevent someone from doing stuff which is a bit lower risk than correcting misconfigurations after they happened. However, it's also very inflexible, policies can get complex real quickly and it also it doesnt tell the user why he cant do something. Often, scp's are only used for the very simple tasks (e.g. no iam users may be created) or blocking actions outside or certain regions.

I'd opt for making sure you detect stuff properly first, then see if you can either correct or prevent it.

Edit: If you have mature teams that only use ci/cd and infra as code you can also make sure your security controls are implemented using tools like cfn-guard in a pipeline build stage. Simply fail the build if their templates are not up to standards.

Edit2: to get back on your question: for some actions it's possible to prevent using scp's if there is a separate api for disabling stuff like a 'DisableEncryption' action. However for most actions it's a PutEncryptionSetting-like action and you cant really tell if its being enabled or disabled.

It might be that your account where this SCP is not working is your management (formerly called master) account.

According to the docs:

Important: SCPs don't affect users or roles in the management account. They affect only the member accounts in your organization.

This is currently not possible via CloudFormation. https://github.com/aws-cloudformation/aws-cloudformation-coverage-roadmap/issues/158

Alternatively, you can enforce the policy that only encrypted EBS volumes can be created or attached by adding the following IAM policy statement: