Cloud Rule Best Practices
Cloud rules applied at the highest OU in your organization should be used to restrict actions and resources that would cause the organization to immediately fall out of compliance. For example:
- IAM deny policies to restrict access to non-US AWS commercial regions
- IAM deny policies to restrict access to specific non-FedRAMP approved services
Cloud rules applied at a department-level OU should be used to give permission to services and resources that are approved for use within the organization and set up base account configuration. For example:
- IAM allow policy to permit services approved for use by the program
- CFTs to set up base AWS networking infrastructure (VPCs, subnets, security groups, etc.)
Cloud rules applied at mid-level OUs should be used to refine services, resources, and account configurations based on descendant projects. For example:
- IAM deny policy to restrict EC2 instance sizes that were not purchased as an RI for the project
- CFTs to set up project AWS infrastructure
Cloud rules applied at a project-level should further refine services, resources, and account configurations for the specific project. For example:
- IAM allow policy for AWS Lambdas to allow trying a new service
- Cloud access role IAM deny policy to restric access to create EC2 instances for auditors
What Next?