What is a Cloud Rule?
Cloud rules are collections of cloud-specific resources that can be applied to cloud accounts. Cloud rules can be applied hierarchically and inherited from parent OU to child OU to projects, or they can be applied directly to individual projects.
Cloud rules apply the following resources to cloud accounts:
- AWS IAM Policies
- AWS CloudFormation Templates
- Shared AWS AMIs
- AWS Service Catalog Portfolios
- Azure Role Definitions
- Azure Policy Definitions
- Azure ARM Templates
- Compliance Standards
Users can request exemptions from cloud rules on projects and OUs. If a cloud rule exemption request is approved on an OU, then all of the projects below the OU are also exempt from the cloud rule. For more information, see Cloud Rule Inheritance and Exemption.
Cloud rules applied at the highest OU in your organization should be used to restrict actions and resources that would cause the organization to immediately fall out of compliance. For example:
- IAM deny policies to restrict access to non-US AWS commercial regions
- IAM deny policies to restrict access to specific non-FedRAMP approved services
Cloud rules applied at a department-level OU should be used to give permission to services and resources that are approved for use within the organization and set up base account configuration. For example:
- IAM allow policy to permit services approved for use by the program
- CFTs to set up base AWS networking infrastructure (VPCs, subnets, security groups, etc.)
Cloud rules applied at mid-level OUs should be used to refine services, resources, and account configurations based on descendant projects. For example:
- IAM deny policy to restrict EC2 instance sizes that were not purchased as an RI for the project
- CFTs to set up project AWS infrastructure
Cloud rules applied at a project-level should further refine services, resources, and account configurations for the specific project. For example:
- IAM allow policy for lambdas to allow trying a new service
- Cloud access role IAM deny policy to restric access to create EC2 instances for auditors