Service Control Policy (SCP)
A policy used in AWS Organizations to manage permissions across multiple AWS accounts.
Description
Service Control Policies (SCPs) are a feature of AWS Organizations that allow administrators to set permission guardrails for AWS accounts within an organization. SCPs are a powerful tool for managing permissions at the organizational level, providing a way to enforce compliance and security policies across multiple accounts. They enable organizations to define what actions can or cannot be performed by the accounts in their organization, regardless of the permissions granted to individual IAM users or roles. SCPs do not grant permissions but restrict them, allowing administrators to control access to AWS services and resources based on the organizational structure. For instance, a company may want to prevent certain accounts from using specific services such as AWS Lambda or Amazon S3, ensuring that sensitive data is not processed or stored improperly. By applying SCPs, organizations can enhance their security posture and maintain compliance with internal and external regulations.
Examples
- An organization restricts access to AWS Config for all accounts except the security team to ensure compliance monitoring.
- A company sets an SCP that disallows the use of Amazon EC2 instances in specific regions to comply with data residency requirements.
Additional Information
- SCPs are applied to organizational units (OUs) and affect all accounts within those units.
- SCPs work in conjunction with IAM policies; even if an IAM policy allows an action, the SCP can deny it.