AWS Public Sector Blog

Preventive controls for FedRAMP 20x: Using SCPs and guardrails to enforce KSIs

https://app.asana.com/1/8442528107068/project/1207199896111772/task/1214439772201800?focus=true

Why preventive controls matter for FedRAMP 20x

Organizations strengthen their security posture when Amazon Web Services (AWS) cloud resources consistently align with security and regulatory requirements. Preventive security controls, which are designed to minimize or avoid threat events, help enforce these requirements before misconfigurations are deployed.

In this post, we show how service control policies (SCPs) in AWS Organizations help enforce Federal Risk and Authorization Management Program (FedRAMP) 20X Key Security Indicators (KSIs) at the organizational level, making noncompliant configurations impossible before they reach deployment. This approach helps reduce your assessment surface and shifts compliance from detection to prevention.

Why preventive controls matter for FedRAMP 20x

In our second blog post, we categorized the 46 KSIs across 10 themes and identified which ones are fully automatable. Detective controls such as AWS Config rules and AWS Security Hub checks identify noncompliant resources after they are created. Preventive controls go further: they block the creation of noncompliant resources entirely.

The FedRAMP Consolidated Rules for 2026 (CR26) emphasize automated enforcement and secure-by-design principles. SCPs are the primary mechanism for achieving this on Amazon Web Services (AWS). When an independent assessor reviews your environment and finds that certain noncompliant states are structurally impossible, those KSIs require less assessment effort. Your compliance posture becomes provable by architecture rather than by periodic checks.

How SCPs enforce KSIs

An SCP is a policy attached to an organizational unit (OU) or account within AWS Organizations. SCPs define the maximum permissions available to principals in that account. They don’t grant permissions; they restrict them. If an SCP denies an action, no identity and access management (IAM) policy in the account can override it.

The following figure shows how SCPs sit in the enforcement hierarchy, blocking noncompliant API calls before they reach AWS services. Your application sends API calls through the AWS Organizations policy evaluation layer, where SCPs intercept and deny noncompliant requests before they can create resources.

SCP enforcement architecture showing how preventive controls intercept API calls at the AWS Organizations level before resources are created, complementing detective controls that monitor resources after creation.

Figure 1: SCP enforcement architecture showing organizational policy evaluation intercepting API calls

For FedRAMP 20x, this means you can map specific SCPs to specific KSIs and demonstrate that certain security outcomes are enforced by organizational policy, not just monitored.

SCP examples mapped to KSIs

Preventing controls help shift compliance enforcement earlier in the deployment lifecycle by blocking noncompliant actions before resources are provisioned. The following examples demonstrate how SCPs can enforce specific FedRAMP 20x KSIs through centralized organizational guardrails.

Enforcing encryption at rest (KSI-SVC-VRI)

KSI-SVC-VRI (validating resource integrity) requires using cryptographic methods to validate the integrity of machine-based information resources. The following SCP denies the creation of unencrypted Amazon Elastic Block Store (Amazon EBS) volumes:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyUnencryptedEBSVolumes",
      "Effect": "Deny",
      "Action": "ec2:CreateVolume",
      "Resource": "*",
      "Condition": {
        "Bool": {
          "ec2:Encrypted": "false"
        }
      }
    }
  ]
}

With this SCP in place, no principal in the account can create an unencrypted EBS volume regardless of their IAM permissions. This helps provide persistent enforcement of KSI-SVC-VRI for block storage.

Blocking public Amazon S3 access (KSI-CNA-MAT)

KSI-CNA-MAT (minimizing attack surface) requires that machine-based information resources are persistently reviewed to have a minimal attack surface. Public Amazon Simple Storage Service (Amazon S3) buckets are one of the most common sources of unintended access. The following SCP helps enforce the S3 Block Public Access settings at the account level:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyS3PublicAccess",
      "Effect": "Deny",
      "Action": "s3:PutBucketPublicAccessBlock",
      "Resource": "*",
      "Condition": {
        "StringNotEquals": {
          "s3:publicAccessBlockConfiguration/BlockPublicAcls": "true",
          "s3:publicAccessBlockConfiguration/BlockPublicPolicy": "true",
          "s3:publicAccessBlockConfiguration/IgnorePublicAcls": "true",
          "s3:publicAccessBlockConfiguration/RestrictPublicBuckets": "true"
        }
      }
    }
  ]
}

Enforcing Instance Metadata Service Version 2 (IMDSv2) (KSI-SVC-ACM, KSI-CNA-IBP)

KSI-SVC-ACM (automating configuration management) requires that the configuration of machine-based information resources is managed using automation and persistently reviewed for drift. KSI-CNA-IBP (implementing best practices) requires that the use and configuration of third-party machine-based information resources is persistently compared against the original provider’s best practices. IMDSv2 is an AWS best practice that helps prevent server-side request forgery (SSRF) from accessing instance credentials:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "RequireIMDSv2",
      "Effect": "Deny",
      "Action": "ec2:RunInstances",
      "Resource": "arn:aws:ec2:*:*:instance/*",
      "Condition": {
        "StringNotEquals": {
          "ec2:MetadataHttpTokens": "required"
        }
      }
    }
  ]
}

Requiring phishing-resistant authentication for sensitive actions (KSI-IAM-APM)

KSI-IAM-APM (adopting passwordless methods) requires that secure passwordless methods are used for user authentication and authorization when feasible, otherwise strong passwords with phishing-resistant multi-factor authentication (MFA) are used. MFA enforcement is typically handled at the identity provider level, but SCPs can require MFA for sensitive API actions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyStopDeleteWithoutMFA",
      "Effect": "Deny",
      "Action": [
        "ec2:StopInstances",
        "ec2:TerminateInstances",
        "rds:DeleteDBInstance",
        "rds:DeleteDBCluster"
      ],
      "Resource": "*",
      "Condition": {
        "BoolIfExists": {
          "aws:MultiFactorAuthPresent": "false"
        }
      }
    }
  ]
}

Dual mapping: NIST 800-53 and FedRAMP 20x KSIs

Each SCP can be mapped to both National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 Rev5 controls and FedRAMP 20x KSIs. This dual mapping is valuable because FedRAMP 20x KSIs trace back to NIST 800-53 controls, and many organizations already have NIST 800-53 compliance programs in place.

SCP FedRAMP 20x KSI NIST 800-53 controls
Deny unencrypted EBS KSI-SVC-VRI SC-13, SI-7
Block public S3 KSI-CNA-MAT SC-7.3, SC-7.5
Require IMDSv2 KSI-CNA-IBP, KSI-SVC-ACM CM-2, CM-6, PL-10
Require MFA for destructive actions KSI-IAM-APM IA-2, IA-2.1, IA-2.8
Deny non-FIPS endpoints UCM (FRR process) SC-13
Restrict AWS Regions KSI-CNA-MAT SC-7.3, SC-7.5

This mapping helps your compliance team demonstrate coverage across both frameworks simultaneously.

Deploying SCPs with the Landing Zone Accelerator

If you’re using the Landing Zone Accelerator on AWS (LZA) with the Universal Configuration, SCPs are deployed through the organization-config.yaml file. The LZA manages SCP lifecycle, including creation, attachment to OUs, and updates through your infrastructure as code (IaC) pipeline.

The project repository includes 74 SCPs that map to FedRAMP 20x KSIs. These cover encryption enforcement, network restrictions, service limitations, and identity controls. Each SCP includes metadata documenting the KSI mapping, the NIST 800-53 control mapping, and the enforcement behavior.

How preventive controls help reduce assessment burden

When your independent assessor evaluates your environment, they need to verify that each KSI is addressed. For KSIs enforced by SCPs, the assessor can verify the SCP policy, confirm it’s attached to the correct OUs, and confirm that no exceptions exist. This is a faster and more deterministic assessment than sampling resources to check for compliance.

Consider the difference:

  • Without SCPs – The assessor samples Amazon Elastic Compute Cloud (Amazon EC2) instances to verify encryption, checks S3 buckets for public access, and reviews IAM policies for MFA requirements. Any noncompliant resource found requires a Plan of Action and Milestones (POA&M) entry.
  • With SCPs – The assessor reviews the SCP, confirms it’s attached, and verifies that the denied actions can’t be performed. The assessment for those KSIs is complete.

This reduction in assessment surface is one of the most practical benefits of a preventive-first approach.

Additional SCP patterns for FedRAMP 20x

Beyond the preceding examples, several additional SCP patterns address KSIs and FedRAMP Rules (FRR) processes that are commonly overlooked:

  • Deny non-FIPS endpoints (UCM FRR process) – The Using Cryptographic Modules (UCM) FRR process requires that providers select and use cryptographic modules appropriately. Note that UCM requirements are still being finalized in the CR26 public preview. In AWS GovCloud (US) Regions, FIPS endpoints are available by default. In commercial Regions, you can use SCPs to deny API calls that don’t use FIPS endpoints by checking the aws:SecureTransport condition and restricting to FIPS-validated endpoints.
  • Restrict AWS Regions (KSI-CNA-MAT) – Limiting which Regions can host resources helps reduce your attack surface and simplifies compliance monitoring. An SCP that denies all actions outside your approved Regions, for example, US West (N. California) – us-gov-west-1 and US East (N. Virginia) – us-gov-east-1, supports KSI-CNA-MAT by reducing the number of locations where resources can exist.
  • Deny disabling of security services (KSI-MLA-LET, KSI-MLA-OSM) – SCPs can prevent principals from disabling AWS CloudTrail, AWS Config, Amazon GuardDuty, or AWS Security Hub. This supports KSI-MLA-LET (logging event types) and KSI-MLA-OSM (operating SIEM capability) by making it structurally impossible to turn off the logging and monitoring infrastructure.
  • Enforce S3 encryption (KSI-SVC-VRI) – An SCP that denies s3:PutObject without server-side encryption headers supports KSI-SVC-VRI for object storage, complementing the EBS encryption SCP shown earlier.

Each of these patterns follows the same principle: if a noncompliant state is architecturally impossible, it doesn’t need to be detected, remediated, or explained in your certification package.

Combining preventive and detective controls

SCPs aren’t a complete solution. They operate at the API level and can’t enforce every KSI. For example, SCPs can’t verify that log retention periods meet requirements, that vulnerability scans run on schedule, or that training programs are effective. Detective controls remain essential for runtime validation.

The recommended approach is defense in depth:

  1. Preventive (SCPs) – Block noncompliant resource creation at the organizational level.
  2. Pre-deploy (IaC scanning) – Catch misconfigurations in templates before deployment.
  3. Runtime (AWS Config rules) – Detect drift from desired state after deployment.
  4. Threat detection (Amazon GuardDuty, Sigma rules) – Identify active issues in real time.

Each layer catches what the previous layer might miss. SCPs can’t evaluate the content of an AWS CloudFormation template, but IaC scanning can. IaC scanning can’t detect runtime drift, but AWS Config rules can. AWS Config rules can’t detect active credential compromise, but Amazon GuardDuty can.

The next post in this series will cover the pre-deployment layer in detail, demonstrating how to validate IaC templates against KSI requirements before they reach your AWS environment.

What comes next

With organizational guardrails in place, the next layer of defense is validating IaC before deployment. In the fourth post in this series, we demonstrate a multi-tool validation pipeline using Open Policy Agent (OPA) and Rego, AWS CloudFormation Guard, and Checkov that catches compliance violations in your continuous integration and continuous deployment (CI/CD) pipeline.

Next steps and resources

Dr. Tommy Kromer

Dr. Tommy Kromer

Dr. Tommy Kromer is a Practice Manager with AWS Security Assurance Services (SAS), focusing on public sector compliance and security operations. He has spent his career helping government contractors navigate complex regulatory landscapes, from the early days of DIACAP through some of the first RMF accreditations to today's CMMC requirements. Leveraging his experience across the Department of Defense and intelligence community, along with expertise in security operations center management and threat hunting, Tommy works closely with customers to align security and compliance as complementary forces that achieve mission-critical objectives.

Paul Keastead

Paul Keastead

Paul Keastead is a Senior Security Engineer with AWS Global Professional Services Security, where he builds the operational security mechanisms that govern how ProServe delivers to customers worldwide. His work spans engagement security automation, AI-powered provider risk assessments, and GenAI governance for a global delivery organization across 24 countries. He designs assessment frameworks and tooling that enable providers to demonstrate security posture across complex control environments including CMMC, FedRAMP, and critical infrastructure protection. He brings over a decade of security leadership across the Marine Corps, federal research, and private sector technology compliance.

Roger Fortuna

Roger Fortuna

Roger Fortuna is a Senior Assurance Consultant with AWS Security Assurance Services (SAS) specializing in Cybersecurity Maturity Model Certification (CMMC) and Department of Defense Security Requirements Guide (DoD SRG) compliance. He helps defense industrial base organizations and cloud service providers achieve and maintain their authorization objectives in the cloud. Drawing on deep expertise in CMMC assessment readiness, FedRAMP equivalency for DoD workloads, and Impact Level (IL) authorization requirements, Roger works closely with customers, assessors, and Amazon Web Services (AWS) teams to align defense compliance mandates with practical cloud architecture and business outcomes.

Satish Uppalapati

Satish Uppalapati

Satish Uppalapati is an Associate Assurance Consultant with AWS Security Assurance Services and has more than 8 years of experience in IT risk, governance, and regulatory assurance. He works with AWS customers to help align cloud environments with frameworks such as ISO 27001, SOC 2, and FFIEC. Satish also focuses on advancing governance for AI systems, including emerging standards such as ISO/IEC 42001.