Empowering Your AWS Environment with Service Control Policies


Welcome! Today, we’re diving into AWS Service Control Policies (SCPs)! Whether you’re a seasoned AWS user or just getting started, understanding SCPs can elevate your control and governance to new heights.

What are AWS Service Control Policies?
AWS Service Control Policies (SCPs) are a type of policy that you can use with AWS Organizations to manage permissions in your organization. SCPs offer central control over the maximum available permissions for all accounts in your organization, allowing you to ensure that your accounts stay within the compliance and security boundaries you define.

SCPs work by allowing or denying permissions to AWS services and resources. These policies are attached at the organization level, organizational unit (OU) level, or account level within an organization. They act as a filter for AWS Identity and Access Management (IAM) policies by specifying the maximum permissions for account members of an organization or OU. If an action is not explicitly allowed by an SCP, no identity-based policy can grant access to that action.

Reference: AWS Service Control Policies Documentation

Key points
Some key points about SCPs include:

  • Scope of Control: SCPs limit permissions for entities (users, groups, and roles) in member accounts, including the root user. They do not grant permissions but rather act as a guardrail to restrict what actions are permissible.
  • Hierarchy: SCPs follow a hierarchical model where policies applied at the parent level affect all child units. For example, an SCP applied at the organization level affects all OUs and accounts under that organization.
  • Evaluation Logic: When determining whether an action is allowed, AWS evaluates all applicable policies, including SCPs and IAM policies. For an action to be allowed, it must be explicitly allowed by an IAM policy and not explicitly denied by any SCP.
  • Use Cases: SCPs are particularly useful for enforcing compliance and security standards, preventing unauthorized access to certain AWS services, and limiting actions that can lead to higher costs.
  • Flexibility: Organizations can apply multiple SCPs to OUs or accounts, providing flexibility in defining and applying permissions policies.

How to get started…
Implementing AWS Service Control Policies (SCPs) involves several steps, primarily centered around the AWS Organizations service. Here’s a step-by-step guide to help you get started with SCPs:

Some prerequisites before you get started:

  1. Enable AWS Organizations: If you haven’t already, you’ll need to enable AWS Organizations by setting up an organization from the AWS Management Console. This involves choosing between creating a new organization or inviting an existing account to join your organization.
  2. Enable All Features: For SCPs to be available, your organization must be in the “All Features” mode. This can be enabled in the AWS Organizations console.

Creating and Managing SCPs:

  1. Access AWS Organizations Console:
    Sign in to the AWS Management Console and open the AWS Organizations console at https://console.aws.amazon.com/organizations/.
  2. Create an SCP:
    • In the navigation pane, choose “Policies” and then “Service control policies”.
    • Select “Create policy”. Here, you’ll enter the SCP details:
  3. Name:
    • Give your SCP a meaningful name.
    • Description (optional): Provide a description for the SCP.
    • Policy: Enter the policy document in JSON format. This document defines the permissions that the SCP allows or denies.

      For example, to deny access to all services except Amazon S3:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "NotAction": "s3:*",
      "Resource": "*"
    }
  ]
}

Applying the SCP:

  1. Select the OU or account you want to apply the SCP to.
  2. Choose the “Policies” tab, then “Service control policies”.
  3. Select “Attach” next to the SCP you want to apply.

Get testing!

  1. Verify SCP Enforcement:
    • Attach the SCP and verify functionality by testing permitted and denied actions using an IAM user or role in the relevant account(s).
  2. Use CloudTrail for Monitoring:
    • AWS CloudTrail can help you monitor the API calls and related events for your accounts. It can be especially useful for auditing and troubleshooting SCP-related issues.

Best Practices

  • Plan! To implement SCPs effectively, organizations need to plan their AWS Organizations structure carefully, considering how to best use OUs and SCPs to manage permissions across accounts in a way that aligns with their security and governance requirements.
  • Gradual Rollout: Start by applying SCPs to a non-production OU to understand their impact without affecting your business operations.
  • Regularly Review and Update: As your organization’s needs evolve, regularly review and update your SCPs to ensure they remain effective and relevant.

Following these steps will help you effectively implement and manage SCPs within your AWS environment, enhancing your organization’s security and compliance posture.

About
With over 20 years in the technology sector, Keith has spent the last decade providing consultancy, support, and strategic direction to customers across multiple cloud platforms.

Disclaimer: The information shared on this blog is for informational purposes only and should not be considered as professional advice. The opinions presented here are personal and independent of any affiliations with tech companies or organizations.

Keith Stafford