Service control policies (SCPs) are a type of organization policy that you can use to manage permissions in your organization. SCPs offer central control over the maximum available permissions for all accounts in your organization. SCPs help you to ensure your accounts stay within your organization’s access control guidelines. SCPs are available only in an organization that has all features enabled. SCPs aren’t available if your organization has enabled only the consolidated billing features.
SCPs alone are not sufficient for allowing access in the accounts in your No permissions are granted by an SCP. Attaching an SCP to an AWS Organizations entity (root, organizational unit (OU), or account) defines a guardrail, or sets limits, on the actions that the IAM users and roles in the affected accounts can perform. You still need to attach identity-based or resource-based policies to IAM users or roles, or to the resources in your organization’s accounts to actually grant permissions. When an IAM user or role belongs to an account that is a member of an organization, the SCPs can limit the user’s or role’s effective permissions.
SCPs don’t affect users or roles in the master account. They affect only the member accounts in your organization.
Allow and Deny Lists
You can configure the service control policies (SCPs) in your organization to work as either of the following:
- A deny list – actions are allowed by default, and you specify what services and actions are prohibited
- An allow list – actions are prohibited by default, and you specify what services and actions are allowed
Using SCPs as a deny list
The default configuration of AWS Organizations supports using SCPs as deny lists. Using a deny list strategy, account administrators can delegate all services and actions until you create and attach an SCP that denies a specific service or set of actions. Deny statements require less maintenance, because you don’t need to update them when AWS adds new services. Deny statements usually use less space, thus making it easier to stay within the maximum size for SCPs. In a statement where the Effect
element has a value of Deny
, you can also restrict access to specific resources, or define conditions for when SCPs are in effect.
Using SCPs as an allow list
To use SCPs as an allow list, you must replace the AWS managed FullAWSAccess
SCP with an SCP that explicitly permits only those services and actions that you want to allow. By removing the default FullAWSAccess
SCP, all actions for all services are now implicitly denied. Your custom SCP then overrides the implicit Deny
with an explicit Allow
for only those actions that you want to permit. For a permission to be enabled for a specified account, every SCP from the root through each OU in the direct path to the account, and even attached to the account itself, must allow that permission.
- An
Allow
statement in an SCP can’t have aResource
element with anything except a"*"
. - An
Allow
statement in an SCP can’t have aCondition
element at all.