AWS recently introduced declarative policies, a feature to help organizations define and enforce desired configurations for AWS services at scale. This capability addresses common challenges faced by customers who need to establish standards for cloud resource configurations, such as blocking public access to Amazon EBS snapshots.
Esra Kayabali, Senior Solutions Architect at AWS, elaborated the announcement in a blog post. Declarative policies allow users to set specific configurations—like blocking public access for VPCs — with minimal effort, ensuring that the desired state is maintained throughout a multi-account environment. Once a policy is attached, AWS automatically enforces compliance, making it easier to achieve the required configurations. This feature is particularly beneficial as it maintains the set configurations even when new features or APIs are introduced.
The implementation of declarative policies provides administrators with visibility into the current state of service attributes across their environments. Unlike traditional access control policies that may restrict information sharing, declarative policies enable end users to receive customized error messages crafted by their organization’s administrators. These messages guide users on how to rectify configuration issues and direct them to internal resources or support channels.
At the time of launch, declarative policies support several AWS services, including Amazon EC2, Amazon VPC, and Amazon EBS. The available service attributes include enforcing Instance Metadata Service version 2 (IMDSv2), allowing troubleshooting via serial console access, setting allowed Amazon Machine Image (AMI) configurations, and blocking public access for various services like EBS snapshots and EC2 AMIs. Furthermore, any new accounts added to an organization will automatically inherit the declarative policies applied at the organizational or account level.
To get started, navigate to the AWS Organizations console and select Policies from the navigation pane. From there, choose Declarative policies for EC2 under the list of supported policy types. Once enabled, the user will have the ability to define and enforce desired configurations for EC2 across all accounts within my AWS Organizations.
Source: Simplify governance with declarative policies
Users can create and manage these policies through multiple interfaces: the AWS Organizations console, AWS Command Line Interface (AWS CLI), AWS CloudFormation, or AWS Control Tower. Policies can be applied at different levels—organization-wide, at the organizational unit (OU), or individual account levels. When activated, these declarative policies prevent any non-compliant actions from being executed, regardless of whether they are initiated through an AWS Identity and Access Management (IAM) role or by an AWS service using a service-linked role.
Discussing the benefits of declarative policies, Vojtech Mencl, Head of Cloud Engineering at ABSA, remarked,
ABSA Group operates in a heavily regulated environment and as we adopt more services, we use SCP policy exclusions to restrict actions and Config rules to detect violations. However, we must create an exception for every new API or feature. With declarative policies, we can simply set VPC Block Public Access to true and have peace of mind that no users, service-linked roles, or future APIs can facilitate public access in our AWS Organizations.
As a side, recently AWS also introduced simultaneous sign-in for multiple AWS accounts in the AWS Management Console, a feature welcomed by the tech community. Users can now sign in to up to five accounts—root, IAM, or federated roles—within a single browser, eliminating the need for workarounds like multiple browsers or plugins.
The announcement was noticed on Reddit, with one user exclaiming, “Finally!! I manage 5 accounts for my company… always had to do jumping here and there to actually work.”
Declarative policies are now accessible in AWS commercial regions, China, and AWS GovCloud (US) Regions. For more information on declarative policies and to begin the implementation, readers can refer to the declarative policies documentation.
