~ 2 min read

An introduction to Service Control Policies (SCPs) in AWS

An introductory article on Service Control Policies (SCPs) in AWS.

Service Control Policies (SCPs) are used to set a boundary of permissions for AWS accounts. SCP has overriding precedence and determines the maximum level of permissions allowed. These permission boundaries are associated with one or more AWS accounts or Organization unit(s).

SCPโ€™s are different from both identity-based and resource-based policies which grant permissions to users, groups, and roles. An SCP does not grant access, it adds a guardrail to define what is allowed which means that one still needs to configure identity-based or resource-based policies for granting permission to carry out actions within your accounts.

To use SCP for managing security at account level, ensure that the AWS Organizations is deployed using enable all features settings.

โ€

Steps to create SCP

โ€

  1. Sign into your AWS account and navigate to AWS Organizations
  2. Under the AWS Organizations dashboard on the left panel, select Policies

Under the AWS Organizations dashboard on the left panel, select Policiesโ€

  1. Click on Enable Service Control Policies if it is not already enabled

โ€

Click on Enable Service Control Policiesโ€

  1. Click on Create Policy

โ€

Click on Create Policyโ€

  1. Add your policy name and policy description
  2. Create your Policy and select the Save changes button to create your policy. You can see the new policy in the Policies tab
  3. Finally, attach the policy to the AWS account where you want to apply the permissions

โ€

This was a short introductory article on Service Control Policies (SCP) in AWS. SCPs are very useful when we have multiple AWS accounts and want to set up the boundary permissions for various accounts so that a baseline can be established within which the AWS accounts are used.

โ€

***

โ€

This article is brought to you by Kloudle Academy, a free e-resource compilation, created and curated by Kloudle. Kloudle is a cloud security management platform that uses the power of automation and simplifies human requirements in cloud security. Receive alerts for Academy by subscribing here.

;