SCP Policies - Kahuna915/Capstone-Cloud-Integration GitHub Wiki
What is an SCP
Service Control Policy: (SCPs) are organization policies that manage permissions in an organization. These are meant to manage the maximum available permissions for all accounts in the organization.
SCP only affects member accounts
SCP Prerequisites
- All Features have to be enabled
Items to Note
- The Management account can apply SCPs that can prevent member accounts from leaving the organization
- SCPs are not sufficient to grant permissions to the accounts in your organization
- An SCP defines a guardrail or sets limits, on actions that the account's administrator can delegate to the IAM users and roles in the affected account
- Identity-based or resource-based policies are used to grant permissions to IAM users and roles
- SCPs are inherited by a top-down hierarchy
- Any explicit Deny statements override any Allow that other SCPs might grant
Policy Syntax
Example Deny Rule
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "TaxDeny",
"Effect": "Deny",
"Action": [
"tax:DeleteTaxRegistration",
"tax:GetTaxInterview",
"tax:GetTaxRegistration",
"tax:GetTaxRegistrationDocument",
"tax:ListTaxRegistrations",
"tax:GetTaxInheritance",
"tax:GetExemptions"
],
"Resource": [
"*"
]
}
]
}
Example Allow Rule
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Action": [
"ec2:*"
],
"Resource": [
"*"
]
}
]
}