An introduction to Service Control Policies (SCPs) in AWS

Introduction

Service Control Policies (SCPs) are used to set a boundary of permissions for AWS accounts. SCP has overriding precedence and determines the maximum level of permissions allowed. These permission boundaries are associated with one or more AWS accounts or Organization unit(s).

SCP’s are different from both identity-based and resource-based policies which grant permissions to users, groups, and roles. An SCP does not grant access, it adds a guardrail to define what is allowed which means that one still needs to configure identity-based or resource-based policies for granting permission to carry out actions within your accounts.

To use SCP for managing security at account level, ensure that the AWS Organizations is deployed using enable all features settings.

Steps to create SCP

1. Sign into your AWS account and navigate to AWS Organizations

2. Under the AWS Organizations dashboard on the left panel, select Policies

   

3. Click on Enable Service Control Policiesif it is not already enabled

   

4. Click on Create Policy

   

5. Add your policy name and policy description

6. Create your Policy and select the Save changes button to create your policy. You can see the new policy in the Policies tab

7. Finally, attach the policy to the AWS account where you want to apply the permissions

Conclusion

This was a short introductory article on Service Control Policies (SCP) in AWS. SCPs are very useful when we have multiple AWS accounts and want to set up the boundary permissions for various accounts so that a baseline can be established within which the AWS accounts are used.