CloudWiki
Resource

SCP

Amazon Web Services
Permissions
Service Control Policies (SCPs) are a type of policy that allows administrators to manage permissions for multiple AWS accounts from a central location. SCPs are used to set permissions that restrict what actions AWS IAM users and roles can perform within an account or a group of accounts that are associated with an AWS Organization. SCPs are used to control access to services, actions, and resources within AWS accounts. They are used to help enforce organizational compliance and governance policies, ensure data security and privacy, and prevent unauthorized access to critical resources. SCPs allow administrators to create a hierarchy of permissions for AWS accounts. They can be applied to an entire AWS Organization, to individual accounts within an Organization, or to specific organizational units (OUs) within an Organization. SCPs are designed to be used in conjunction with AWS Identity and Access Management (IAM) policies. While IAM policies control access within individual AWS accounts, SCPs allow administrators to set rules across all accounts in an AWS Organization.
Terraform Name
terraform
aws_organizations_policy
SCP
attributes:

The following arguments are supported:

  • content - (Required) The policy content to add to the new policy. For example, if you create a service control policy (SCP), this string must be JSON text that specifies the permissions that admins in attached accounts can delegate to their users, groups, and roles. For more information about the SCP syntax, see the Service Control Policy Syntax documentation and for more information on the Tag Policy syntax, see the Tag Policy Syntax documentation.
  • name - (Required) The friendly name to assign to the policy.
  • description - (Optional) A description to assign to the policy.
  • skip_destroy - (Optional) If set to true, destroy will not delete the policy and instead just remove the resource from state. This can be useful in situations where the policies (and the associated attachment) must be preserved to meet the AWS minimum requirement of 1 attached policy.
  • type - (Optional) The type of policy to create. Valid values are AISERVICES_OPT_OUT_POLICY, BACKUP_POLICY, SERVICE_CONTROL_POLICY (SCP), and TAG_POLICY. Defaults to SERVICE_CONTROL_POLICY.
  • tags - (Optional) Key-value map of resource tags. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

Associating resources with a
SCP
Resources do not "belong" to a
SCP
Rather, one or more Security Groups are associated to a resource.
Create
SCP
via Terraform:
The following HCL is an example of an AWS Organizations policy with the aws_organizations_policy resource that includes a SERVICE_CONTROL_POLICY type
Syntax:

resource "aws_organizations_policy" "example_policy" {
 content = jsonencode({
   "Version": "2012-10-17",
   "Statement": [
     {
       "Effect": "Allow",
       "Action": "*",
       "Resource": "*"
     }
   ]
 })
 description = "Example policy"
 name = "example-policy"
 type = "SERVICE_CONTROL_POLICY"
}

Create
SCP
via CLI:
Parametres:

create-policy
--content <value>
--description <value>
--name <value>
--type <value>
[--tags <value>]
[--cli-input-json <value>]
[--generate-cli-skeleton <value>]
[--debug]
[--endpoint-url <value>]
[--no-verify-ssl]
[--no-paginate]
[--output <value>]
[--query <value>]
[--profile <value>]
[--region <value>]
[--version <value>]
[--color <value>]
[--no-sign-request]
[--ca-bundle <value>]
[--cli-read-timeout <value>]
[--cli-connect-timeout <value>]

Example:

aws organizations create-policy --content file://policy.json --name AllowAllS3Actions, --type SERVICE_CONTROL_POLICY --description "Allows delegation of all S3 actions"

aws cost
Costs
There is no additional cost for using AWS Service Control Policies (SCPs) themselves. SCPs are a feature of AWS Organizations, which is a service that is available at no additional cost to AWS customers. However, it's important to note that SCPs are used to control access to AWS resources and services, which do incur costs based on usage. SCPs are designed to help administrators manage and control those costs by limiting the actions that can be performed by AWS users and roles. Additionally, using SCPs may require additional management overhead, such as monitoring and updating the policies as the needs of the organization change. Depending on the complexity of the policies and the size of the organization, this may require additional resources, such as time and expertise. So while there is no direct cost associated with SCPs themselves, it's important to consider the potential impact on overall AWS usage and management when implementing SCPs in an organization.
Direct Cost

--

Indirect Cost
No items found.
Best Practices for
SCP

Categorized by Availability, Security & Compliance and Cost

Low
Access allowed from VPN
No items found.
Low
Auto Scaling Group not in use
No items found.
Medium
Connections towards DynamoDB should be via VPC endpoints
No items found.
Medium
Container in CrashLoopBackOff state
No items found.
Low
EC2 with GPU capabilities
No items found.
Medium
EC2 with high privileged policies
No items found.
Medium
ECS cluster delete alarm
No items found.
Critical
ECS task with Admin access (*:*)
Medium
ECS task with high privileged policies
No items found.
Critical
EKS cluster delete alarm
No items found.
Medium
ElastiCache cluster delete alarm
No items found.
Medium
Ensure Container liveness probe is configured
No items found.
Medium
Ensure ECS task definition has memory limit
No items found.
Critical
Ensure EMR cluster master nodes are not publicly accessible
No items found.
More from
Amazon Web Services