Protecting AWS Organization with Service Control Policies (SCPs)
Service Control Policies (SCPs) are a powerful governance tool in AWS Organizations that enable centralized control over permissions across all accounts. Understanding how to implement SCPs effectively is crucial for maintaining security, compliance, and operational excellence at scale.
What are Service Control Policies?
SCPs are a type of organization policy that you can use to manage permissions in your organization. They offer central control over the maximum available permissions for all accounts in your organization.
Key Characteristics
- Guardrails: Define boundaries of allowed actions
- Inheritance: Applied to organizational units (OUs) and cascade down
- Override IAM: Even if IAM allows an action, SCP can deny it
- Organization-wide: Consistent policy enforcement
Why Use SCPs?
Security Benefits
- Prevent accidental or malicious actions
- Enforce least privilege at the account level
- Protect critical resources from deletion
- Restrict access to specific AWS regions
Compliance
- Implement regulatory requirements
- Maintain audit trails of policy changes
- Demonstrate governance to auditors
- Enforce data residency requirements
Cost Control
- Restrict expensive service usage
- Prevent unauthorized resource creation
- Limit instance types and regions
Common SCP Use Cases
1. Region Restriction
Limit operations to approved AWS regions:
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"StringNotEquals": {
"aws:RequestedRegion": ["us-east-1", "us-west-2"]
}
}
}]
}
2. Prevent Root User Usage
Deny all actions by the root user except for specific account management tasks.
3. Enforce Encryption
Require encryption for S3 buckets, EBS volumes, and RDS instances.
4. Protect Critical Resources
Prevent deletion of CloudTrail logs, Config rules, and GuardDuty configurations.
Topics Covered
- Understanding SCP syntax and structure
- Best practices for SCP design and implementation
- Common SCP patterns and templates
- Testing SCPs safely before deployment
- SCP inheritance and evaluation logic
- Combining SCPs with IAM policies
- Troubleshooting permission issues with SCPs
- Managing exceptions and emergency access
SCP Best Practices
- Start with Deny Lists: Begin with allow-all, then add specific denies
- Test Thoroughly: Use a sandbox account for testing
- Document Everything: Maintain clear documentation of SCP purposes
- Version Control: Track SCP changes in Git
- Regular Reviews: Audit SCPs periodically
- Emergency Access: Plan for SCP bypass in emergencies
SCP Strategy
Organizational Structure
Root
├── Security OU (Strict SCPs)
├── Production OU (Moderate SCPs)
├── Development OU (Permissive SCPs)
└── Sandbox OU (Most Permissive)
Layered Approach
- Base Layer: Organization-wide security requirements
- OU Layer: Environment-specific restrictions
- Account Layer: Special cases and exceptions
Common Pitfalls to Avoid
- Overly restrictive SCPs that block legitimate operations
- Not testing SCPs before applying to production
- Forgetting that SCPs affect all principals, including admins
- Not documenting the business reason for each SCP
- Applying too many SCPs making troubleshooting difficult
Monitoring and Compliance
- Use CloudTrail to monitor SCP changes
- Set up Config rules to detect policy violations
- Create CloudWatch alarms for unauthorized actions
- Regular compliance audits
Read the Full Article
This article was originally published on AWS Builder.
Read the full article on AWS Builder →
For more insights on AWS and DevOps best practices, connect with me on LinkedIn and explore my GitHub.