Service control policies (SCPs) in depth
SCPs are a powerful feature within Organizations that allow you to define permission guardrails. These guardrails can either be permissive, allowing certain actions across all accounts, or restrictive, explicitly denying certain actions. SCPs are applied at the root, OU, or individual account level, providing granular control over your AWS environment.
The beauty of SCPs is that they operate as a boundary, meaning they don’t grant permissions but rather set the maximum permissions a user or role can have. For example, you can create an SCP that prevents any AWS account in a specific OU from terminating EC2 instances. Even if an IAM policy grants a user permission to terminate instances, the SCP would override it, ensuring that the instances remain running.
SCPs are particularly useful for enforcing compliance and security best practices. For instance, you could create an SCP that denies any changes to logging configurations, ensuring that all accounts maintain a consistent and auditable history of actions.
As an example, imagine you have an OU for your development teams and another for your production environment. You could apply an SCP to the development OU that allows broad permissions, enabling developers to experiment and innovate. On the other hand, you could apply a restrictive SCP to the production OU that only allows essential services to be modified, thereby safeguarding your live applications from unintended changes.
SCPs also support condition keys, allowing you to create even more nuanced policies. For example, you could set up an SCP that only allows EC2 instances to be launched if they are tagged with a specific cost center code, helping you manage budgets more effectively.
Here is the JSON example of an SCP that denies the launching of EC2 instances without a specific cost center tag while still preventing the termination of any EC2 instances:
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Sid”: “DenyTerminateEC2Instances”,
“Effect”: “Deny”,
“Action”: “ec2:TerminateInstances”,
“Resource”: “*”
},
{
“Sid”: “AllowLaunchEC2InstancesWithCostCenterTag”,
“Effect”: “Allow”,
“Action”: “ec2:RunInstances”,
“Resource”: “*”,
“Condition”: {
“StringEquals”: {
“aws:RequestTag/costCenter”: “1234”
}
}
},
{
“Sid”: “DenyAnyOtherLaunchEC2Instances”,
“Effect”: “Deny”,
“Action”: “ec2:RunInstances”,
“Resource”: “*”
}
]
}
In essence, SCPs provide a robust mechanism for centralized governance, enabling you to manage permissions efficiently across multiple AWS accounts.