Understanding Service Control Policies (SCPs) in AWS Organizations

Amazon Web Services
Written By Khalid Bencherifa

Service Control Policies (SCPs) are a powerful tool for managing permissions across your AWS organization. They provide centralized control over the maximum available permissions for all accounts within your organization, ensuring that your accounts stay within your organization's access control guidelines.

How SCPs Work

SCPs follow a deny-by-default model, meaning that any permissions not explicitly allowed in the SCPs are denied. For a permission to be allowed for a specific account, there must be an explicit Allow statement at every level from the root through each Organizational Unit (OU) in the direct path to the account, including the target account itself.When you enable SCPs, AWS Organizations attaches an AWS-managed SCP named FullAWSAccess to provide initial access. This policy allows all actions on all resources by default.

SCP Evaluation Process

Let's consider an example organization structure to understand how SCPs are evaluated:

Root
├── Production OU
│   └── Account B
└── Sandbox OU
    └── Account A

For a permission or service to be allowed in Account B, an SCP that allows the permission or service should be attached to:

  1. The Root

  2. The Production OU

  3. Account B itself

If an Allow statement is missing at any of these levels, the access is denied.

Example Scenarios

Let's examine some scenarios to illustrate how SCPs work:

  • In Scenario 1, Account A has no access to S3 or EC2 due to the deny statements in its parent OU and the account itself. Account B only loses S3 access due to the deny statement in the Root.

  • Scenario 2 shows that when all levels have an Allow statement for EC2, both accounts can access EC2.

  • In Scenario 3, despite Allow statements lower in the hierarchy, the Deny S3 access at the Root level blocks S3 access for all accounts.

Best Practices

  1. Start with the FullAWSAccess policy and gradually restrict access as needed.

  2. Test SCPs thoroughly before applying them to production environments.

  3. Use service last accessed data in IAM to refine your SCPs and restrict access to only necessary AWS services.

  4. Remember that SCPs affect all users and roles in attached accounts, including the root user, but do not affect service-linked roles.

By understanding how SCPs work and following these best practices, you can effectively manage permissions across your AWS organization, enhancing your security posture and ensuring compliance with your organization's policies.

Khalid Bencherifa
Previous

AWS Wavelength: Bringing Cloud Power to the 5G Edge
Next

Leveraging SAML 2.0 Federation for Secure AWS Access