Enforce resource configuration to control access to new features with AWS
Security Blog
This article discusses a comprehensive approach to enforcing resource configuration and controlling access to new AWS features using AWS CloudFormation Hooks and other AWS services.
- Resource Configuration Enforcement (RCFGE) uses CloudFormation Hooks to validate resource configurations before provisioning
- Features can be "gated" by using restricted resource schema templates stored in S3
- The solution allows organizations to:
- Control which resource configurations are allowed
- Prevent use of unapproved features
- Maintain flexibility for DevOps teams within defined boundaries
- Key components include:
- CloudFormation Hooks
- Restricted resource schema templates
- Service Control Policies (SCPs)
- AWS Organizations
- Recommended architecture involves a dedicated management account, delegated administrator account, and member accounts
The solution provides a secure, scalable method for governance and feature control in AWS environments.
The AWS News Feed is currently looking for gold sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.
Related articles
Nov 13
2024
2024
Introducing resource control policies (RCPs) to centrally restrict access to AWS resources
Nov 14
2024
2024
Introducing resource control policies (RCPs), a new type of authorization policy in AWS Organizations
Apr 11
2025
2025
Unlock the Power of AWS Config: Centralized Compliance and Resource Management
Jan 4
2024
2024
How to use AWS Config proactive rules and AWS CloudFormation Hooks to prevent creation of noncompliant cloud resources
The AWS News Feed is currently looking for silver sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.