AWS SCP checker
For customers who host Glean within their AWS environment, Glean provides a script to determine whether any Service Control Policies (SCPs) in your AWS organization conflict with Glean's required IAM permissions.
The script provides a general assessment of your SCPs to capture ones that could interfere with Glean. There may still be conflicts it cannot detect, because the script cannot test every possible IAM condition.
Prerequisites
AWS infrastructure requirements
- Create a separate AWS account just for Glean. If you followed the AWS deployment guide, this is already complete.
- Create an IAM principal. Glean recommends creating a permission set in AWS IAM Identity Center (AWS SSO) in the organization root account with read-only permissions for IAM. Attach the
SecurityAuditAWS managed policy (arn:aws:iam::aws:policy/SecurityAudit) to this principal. You can delete this once the script has completed.
Prepare Python
-
Download the script: glean_scp_checker.zip
-
Unzip the file. Open a terminal and navigate to the
customer_scp_checkerdirectory. -
Within the
customer_scp_checkerdirectory, create a virtual environment with Python 3.10 or later:python -m venv venv -
Activate the virtual environment:
source venv/bin/activate -
Install the Python requirements inside the virtual environment:
pip install .
Review the script (optional)
Because the script is run in the organization root account, you may want to review it before running. Feel free to examine the script. The included README describes the full logic flow. See How it works for more information on the README.
Run the script
Fetch the read-only IAM credentials from the prerequisites and export them into your terminal. Then run the following command inside the virtual environment:
# Make sure the read-only SecurityAudit AWS credentials are exported into this terminal
python scp_checker.py --glean-account-id YOUR-GLEAN-AWS-ACCOUNT-ID --glean-deployment-region REGION-YOU-ARE-DEPLOYING-GLEAN
The script outputs whether there are any conflicts.
Resolve conflicts
If the script outputs conflicts, reach out to your Glean contact. If you need to exempt only the Glean account from a specific SCP, add a condition to the SCP that allows the Glean account to be exempt:
"Condition": {
"StringNotEquals": {
"aws:PrincipalAccount": "GLEAN-AWS-ACCOUNT-ID"
}
}
This condition enforces the SCP for all AWS accounts it applies to, except the Glean AWS account. This lets you maintain your security posture while explicitly exempting the Glean account.
How it works
The script is read-only and does not mutate any infrastructure resources.
It fetches all the SCPs associated with an AWS account's hierarchy in AWS Organizations, collecting the SCPs that apply to the Glean deployment account. It first describes the SCPs attached to the account directly, then walks up the account's organization hierarchy until it reaches the organization root, describing all attached SCPs along the way.
Once the script collects the SCPs, it examines the required IAM permissions that Glean needs to operate (defined in a JSON file under the resources/ directory) and uses the AWS IAM Policy Simulator to determine whether there is a conflict for a given permission. It passes the SCP policy statements along with the IAM policy to be tested to the simulator, which reports whether there is an explicit deny. An explicit deny means an SCP is blocking that action.
The IAM Policy Simulator does not require you to create any new roles or resources. It only needs read-only credentials. The script also tests for common global IAM condition keys:
aws:PrincipalAccountaws:PrincipalArnaws:PrincipalOrgIdaws:PrincipalTypeaws:RequestedRegion
The script provides these global IAM condition keys to the simulator, which assesses them against the SCPs to determine whether there is a conflict.
Caveats
The script cannot test everything. The IAM Policy Simulator does not support:
NotActionstatementsNotResourcestatements
The script does not evaluate SCP statements with these keys, and there may be other conditionals the script cannot test for.