Enterprise Cloud Consultancy in The UK and Europe

What are Service Control Policies for?

Service control policies (SCPs) are a type of organization policy that you can use to manage permissions in your organization. SCPs offer central control over the maximum available permissions for all accounts in your organization. SCPs help you to ensure your accounts stay within your organization’s access control guidelines. SCPs are available only in an organization that has all features enabled. SCPs aren’t available if your organization has enabled only the consolidated billing features.

SCPs alone are not sufficient for allowing access in the accounts in your No permissions are granted by an SCP. Attaching an SCP to an AWS Organizations entity (root, organizational unit (OU), or account) defines a guardrail, or sets limits, on the actions that the IAM users and roles in the affected accounts can perform. You still need to attach identity-based or resource-based policies to IAM users or roles, or to the resources in your organization’s accounts to actually grant permissions. When an IAM user or role belongs to an account that is a member of an organization, the SCPs can limit the user’s or role’s effective permissions.

SCPs don’t affect users or roles in the master account. They affect only the member accounts in your organization.

Allow and Deny Lists

You can configure the service control policies (SCPs) in your organization to work as either of the following:

  • A deny list – actions are allowed by default, and you specify what services and actions are prohibited
  • An allow list – actions are prohibited by default, and you specify what services and actions are allowed

Using SCPs as a deny list

The default configuration of AWS Organizations supports using SCPs as deny lists. Using a deny list strategy, account administrators can delegate all services and actions until you create and attach an SCP that denies a specific service or set of actions. Deny statements require less maintenance, because you don’t need to update them when AWS adds new services. Deny statements usually use less space, thus making it easier to stay within the maximum size for SCPs. In a statement where the Effect element has a value of Deny, you can also restrict access to specific resources, or define conditions for when SCPs are in effect.

Using SCPs as an allow list

To use SCPs as an allow list, you must replace the AWS managed FullAWSAccess SCP with an SCP that explicitly permits only those services and actions that you want to allow. By removing the default FullAWSAccess SCP, all actions for all services are now implicitly denied. Your custom SCP then overrides the implicit Deny with an explicit Allow for only those actions that you want to permit. For a permission to be enabled for a specified account, every SCP from the root through each OU in the direct path to the account, and even attached to the account itself, must allow that permission.

Notes
  • An Allow statement in an SCP can’t have a Resource element with anything except a "*".
  • An Allow statement in an SCP can’t have a Condition element at all.