July 22, 2022

An introduction to Service Control Policies (SCPs) in AWS

An introductory article on Service Control Policies (SCPs) in AWS.

Service Control Policies (SCPs) are used to set a boundary of permissions for AWS accounts. SCP has overriding precedence and determines the maximum level of permissions allowed. These permission boundaries are associated with one or more AWS accounts or Organization unit(s).

SCP’s are different from both identity-based and resource-based policies which grant permissions to users, groups, and roles. An SCP does not grant access, it adds a guardrail to define what is allowed which means that one still needs to configure identity-based or resource-based policies for granting permission to carry out actions within your accounts.

To use SCP for managing security at account level, ensure that the AWS Organizations is deployed using enable all features settings.

Steps to create SCP

  1. Sign into your AWS account and navigate to AWS Organizations
  2. Under the AWS Organizations dashboard on the left panel, select Policies
Under the AWS Organizations dashboard on the left panel, select Policies

  1. Click on Enable Service Control Policies if it is not already enabled

Click on Enable Service Control Policies

  1. Click on Create Policy

Click on Create Policy

  1. Add your policy name and policy description
  2. Create your Policy and select the Save changes button to create your policy. You can see the new policy in the Policies tab
  3. Finally, attach the policy to the AWS account where you want to apply the permissions

This was a short introductory article on Service Control Policies (SCP) in AWS. SCPs are very useful when we have multiple AWS accounts and want to set up the boundary permissions for various accounts so that a baseline can be established within which the AWS accounts are used.

***

This article is brought to you by Kloudle Academy, a free e-resource compilation, created and curated by Kloudle. Kloudle is a cloud security management platform that uses the power of automation and simplifies human requirements in cloud security. Receive alerts for Academy by subscribing here.

Written by:
Priyam Singh

Priyam Singh

Cloud Security Specialist

Priyam is a Cloud Security Specialist at Kloudle. She also has experience as DevSecOps Engineer. She is part of security communities such as Infosecgirls and null - The Open Security Community. An active speaker and contributor to various security communities. She has given various technical talks and published content on DevSecOps.

Read more