Service Control Policies (SCPs) are a powerful feature within AWS Organizations that enable centralized control over the maximum available permissions for all accounts in your organization. SCPs act as guardrails that define the boundaries of what actions can be performed across member accounts, re…Service Control Policies (SCPs) are a powerful feature within AWS Organizations that enable centralized control over the maximum available permissions for all accounts in your organization. SCPs act as guardrails that define the boundaries of what actions can be performed across member accounts, regardless of the IAM policies attached to users, groups, or roles within those accounts.
SCPs work as permission boundaries rather than granting permissions themselves. They filter the permissions that IAM policies can grant, meaning if an SCP does not allow a particular action, no IAM policy within the affected accounts can enable that action. This creates a hierarchical permission model where SCPs at the organization root, organizational units (OUs), or individual accounts can restrict access.
Key characteristics of SCPs include:
1. **Inheritance**: SCPs attached to the organization root apply to all OUs and accounts. SCPs attached to an OU apply to all accounts within that OU and any child OUs.
2. **Deny by Default**: When you enable SCPs, AWS applies a default FullAWSAccess policy. You can then create restrictive policies to limit permissions.
3. **No Effect on Management Account**: SCPs do not affect the management account of the organization, which maintains full administrative access.
4. **Use Cases**: Common implementations include preventing accounts from leaving the organization, restricting access to specific AWS regions, enforcing encryption requirements, and blocking certain high-risk services.
5. **Policy Syntax**: SCPs use JSON format similar to IAM policies, supporting Allow and Deny statements with conditions.
For SysOps Administrators, understanding SCPs is essential for implementing compliance requirements, establishing security baselines across multiple accounts, and ensuring that organizational security standards are enforced consistently. SCPs complement IAM policies and provide an additional layer of access control at the organizational level.
Service Control Policies (SCPs) - Complete Guide
Why Service Control Policies (SCPs) Are Important
Service Control Policies are a critical security mechanism in AWS Organizations that allow administrators to establish guardrails across multiple AWS accounts. They are essential for maintaining compliance, enforcing security boundaries, and ensuring that even users with full IAM permissions cannot perform actions that violate organizational policies. For the AWS SysOps Administrator Associate exam, understanding SCPs is crucial as they represent a key component of multi-account security strategy.
What Are Service Control Policies (SCPs)?
SCPs are a type of organization policy that you can use to manage permissions across your AWS Organization. They act as a permission boundary that defines the maximum available permissions for IAM users and roles in member accounts. Key characteristics include:
• SCPs are applied at the organizational unit (OU) or account level • They do not grant permissions - they only restrict them • They affect all users and roles in attached accounts, including the root user • They do not affect service-linked roles • The management account is never affected by SCPs
How Service Control Policies Work
SCPs use a hierarchical structure that follows the AWS Organizations tree:
1. Inheritance: SCPs are inherited from parent OUs to child OUs and accounts 2. Effective Permissions: The effective permissions are the intersection of the SCP and IAM policies 3. Deny by Default: If you use a deny list strategy, you start with FullAWSAccess and add deny statements 4. Allow List Strategy: Alternatively, you can remove FullAWSAccess and explicitly allow only specific services
SCP Syntax Example:
SCPs use JSON format similar to IAM policies with Effect, Action, and Resource elements. They support conditions for fine-grained control.
Common Use Cases: • Preventing users from leaving the organization • Restricting which AWS regions can be used • Preventing deletion of CloudTrail logs • Requiring specific tags on resources • Blocking access to specific services
Exam Tips: Answering Questions on Service Control Policies (SCPs)
Tip 1: Remember that SCPs never grant permissions - they only restrict what IAM policies can allow. If a question asks how to grant permissions across accounts, SCPs are not the answer.
Tip 2: The management account is exempt from SCPs. If a question involves restricting actions in the management account, SCPs will not work.
Tip 3: SCPs affect the root user in member accounts. This is different from IAM policies, which cannot restrict root users.
Tip 4: Service-linked roles are not affected by SCPs. Questions about restricting AWS service actions performed by service-linked roles require a different approach.
Tip 5: When you see questions about enforcing compliance across multiple accounts in an organization, SCPs are typically the correct answer.
Tip 6: SCPs require AWS Organizations with all features enabled, not just consolidated billing.
Tip 7: For questions about regional restrictions, remember that SCPs can use the aws:RequestedRegion condition key to limit which regions users can operate in.
Tip 8: Effective permissions = SCP permissions ∩ IAM permissions. A user needs both the SCP to allow the action AND an IAM policy granting the permission.
Key Scenarios to Recognize: • Multi-account governance → Think SCPs • Preventing specific actions organization-wide → Think SCPs • Restricting even privileged users in member accounts → Think SCPs • Compliance requirements across all accounts → Think SCPs