Service Control Policies
Complete the full lesson to earn 25 points
Work through each section, then tap “Mark as Complete” on the last one.
✦ Skip the page breaks and see fewer ads — read each lesson on a single page with Pro
Lesson: Mastering Service Control Policies (SCPs)
Introduction: The Foundation of Guardrails
In the landscape of modern cloud infrastructure, managing permissions across hundreds or even thousands of individual accounts is a daunting task. As organizations scale, the challenge shifts from simply granting access to individuals to ensuring that no user, regardless of their administrative privileges, can accidentally or maliciously violate the core security requirements of the organization. This is where Service Control Policies (SCPs) come into play.
Service Control Policies are a type of organization policy that you can use to manage permissions in your organization. They offer central control over the maximum available permissions for all accounts in your organization. Think of an SCP not as a tool to grant permissions, but as a boundary that defines what is possible within an account. If a user has an IAM policy that allows them to delete an entire database, but an SCP exists that denies the ability to delete databases, the SCP wins. This hierarchy ensures that security teams can set non-negotiable rules that apply across the entire environment, regardless of what local administrators decide to do within their specific accounts.
Understanding SCPs is essential for anyone responsible for cloud security, governance, or platform engineering. Without them, you are relying on the assumption that every local account administrator will perfectly configure their local IAM policies. In a large organization, this is a dangerous assumption. By mastering SCPs, you move from a reactive security posture—where you scramble to fix misconfigurations—to a proactive, preventative posture where guardrails are built into the foundation of your cloud ecosystem.
How SCPs Fit into the Authorization Hierarchy
To truly understand SCPs, you must visualize how they interact with other permission mechanisms. Access control in a cloud environment is rarely determined by a single policy document. Instead, it is the result of an evaluation process that considers multiple layers of logic.
When a request is made to an API, the system evaluates the policy set. The evaluation logic follows a strict set of rules:
- Deny by Default: If no policy explicitly allows an action, the request is denied.
- Explicit Deny: If any policy anywhere in the evaluation chain contains an explicit deny, the request is denied, regardless of any allow statements.
- Allow: If there is no explicit deny and at least one allow statement exists, the request is granted.
SCPs occupy a unique position in this chain because they act as a "filter" or a "boundary." They do not grant permissions; they only restrict them. If an IAM user has full administrative rights, but an SCP is attached to their account that denies access to a specific service, the user will be unable to use that service. This is why SCPs are often referred to as "permission boundaries" or "guardrails."
Callout: SCPs vs. IAM Policies It is a common mistake to confuse SCPs with IAM policies. An IAM policy defines what a user or role can do. An SCP defines what cannot be done within an account. You cannot use an SCP to grant a user permission to access an S3 bucket. You can only use an SCP to prevent a user from ever creating an S3 bucket, or from deleting one, even if their IAM policy says they are allowed to do so.
Anatomy of a Service Control Policy
An SCP is a JSON document that looks and feels very similar to an IAM policy. It consists of a version, an ID (optional), and a statement block. Within the statement block, you define the effect (Allow or Deny), the actions to be performed, and the resources to which the policy applies.
The Structure of the JSON
A typical SCP contains the following elements:
- Version: Usually "2012-10-17", indicating the version of the policy language.
- Statement: The core of the policy, containing an array of objects.
- Effect: Either "Allow" or "Deny".
- Action: The specific API actions you want to control (e.g.,
s3:DeleteBucket). - Resource: The specific resources the policy applies to. In SCPs, this is often set to
*to apply the policy to all resources within the account. - Condition (Optional): Logic that further restricts when the policy applies, such as restricting actions based on IP address or region.
Example: A Simple Deny Policy
The most common use case for an SCP is to restrict access to specific services in certain regions. For example, if your organization is only authorized to operate in the US-East-1 region, you want to ensure that no one accidentally spins up resources in other regions.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RestrictRegion",
"Effect": "Deny",
"NotAction": [
"iam:*",
"organizations:*",
"account:*"
],
"Resource": "*",
"Condition": {
"StringNotEquals": {
"aws:RequestedRegion": "us-east-1"
}
}
}
]
}
In this example, the NotAction element is used to ensure that global services (like IAM and Organizations) remain accessible, while all other services are denied if they are not requested in us-east-1. This is a powerful, concise way to enforce regional compliance.
Implementing SCPs: A Step-by-Step Guide
Implementing SCPs is not something you should do in a live production environment without extensive testing. Because SCPs can effectively "lock out" even root users from critical services, a poorly designed policy can cause significant operational disruption.
Step 1: Planning and Scoping
Before you write a single line of JSON, determine exactly what behavior you are trying to prevent. Are you trying to stop users from leaving the organization? Are you trying to prevent the deletion of production databases? Create a list of the specific API calls that correspond to these actions.
Step 2: Testing in a Sandbox
Never attach an SCP to your root organization unit (OU) or a production OU immediately. Create a dedicated sandbox account, move it into a test OU, and attach your draft SCPs there. Perform the actions you are trying to block to verify that the SCP behaves as expected.
Step 3: Enabling SCPs in your Organization
Before you can attach policies, you must ensure that your organization has "All Features" enabled. This is a one-way process that unlocks the ability to use SCPs and other advanced management features.
Step 4: Attaching the Policy
Once tested, you can attach the policy to an OU. When you attach an SCP to an OU, it automatically applies to all accounts within that OU, as well as any accounts in nested OUs.
Warning: The "Full Control" Trap Be extremely careful when applying a "Deny" policy to an entire organization. If you accidentally deny all actions for all users, you can effectively lock yourself out of your entire cloud environment. Always start by applying policies to a single, non-critical test account before moving to broader OUs.
Best Practices for SCP Management
Managing SCPs effectively requires a disciplined approach. As your organization grows, the number of policies can become difficult to track. Follow these industry-standard practices to maintain control.
Use Descriptive Policy Names and IDs
Always use clear, descriptive names for your policies. Instead of "Policy1", use "Deny-S3-Deletion-Production". Include comments within the JSON using the Sid (Statement ID) field to explain why the policy exists. This is helpful for auditors and future team members who need to understand the intent behind the restriction.
Follow the Principle of Least Privilege
Just as you do with IAM policies, apply the principle of least privilege to your SCPs. Do not create massive, catch-all policies that block hundreds of services if you only need to block one or two. Smaller, modular policies are easier to debug, test, and maintain.
Use "Allow" Lists Carefully
While "Deny" is the most common use case for SCPs, you can also use "Allow" lists. In this model, you explicitly allow only a small set of services, and everything else is implicitly denied by the SCP. This is a very restrictive, "locked-down" approach often used in high-security environments like financial services or healthcare.
Regularly Audit Your Policies
Policies that were relevant a year ago may no longer be necessary today. Schedule quarterly reviews of your SCPs. Remove policies that are no longer needed and update existing ones to reflect changes in your organizational structure or business requirements.
| Best Practice | Description |
|---|---|
| Modular Design | Break large policies into smaller, specific ones for better readability. |
| Test First | Always test in a sandbox OU before moving to production. |
| Version Control | Store your SCPs in a version control system like Git to track changes. |
| Documentation | Document the intent of every SCP in a central repository. |
| Monitor Denials | Use cloud logs (like CloudTrail) to monitor for denied API calls caused by your SCPs. |
Common Pitfalls and How to Avoid Them
Even experienced engineers run into trouble with SCPs. Being aware of these common mistakes will save you from significant headaches.
The "Lockout" Scenario
The most common mistake is creating a policy that denies access to the very services required to manage the policy itself. For example, if you accidentally deny organizations:DetachPolicy in a policy that you then attach to the root, you may find that you can no longer remove that policy. Always ensure that your administrative roles have an "escape hatch" or that your policies do not block necessary administrative actions.
Ignoring the "Full Control" Requirement
Some services require specific permissions to function correctly. If you create a broad "Deny" policy, you might inadvertently break services that depend on other services in the background. Always check the service documentation for any "service-linked role" requirements. Service-linked roles are often exempt from some restrictions, but not always.
Misunderstanding the Hierarchy
Remember that SCPs are hierarchical. A policy attached to the root affects everything. A policy attached to an OU affects that OU and everything below it. If you have conflicting policies at different levels, the most restrictive policy usually wins, but the evaluation logic can get complex. Keep your hierarchy as flat as possible to avoid confusion.
Note: Monitoring is Key When you implement a new SCP, you will likely see an increase in "Access Denied" errors in your logs. This is normal, but you should treat it as a signal. Use log analytics tools to correlate these denials with specific users or roles to ensure that your SCP is not blocking legitimate business processes.
Advanced Techniques: Using Conditions
Conditions allow you to make your SCPs dynamic. Instead of a hard "Deny", you can create conditional logic that makes the policy context-aware.
Example: IP-Based Restrictions
You might want to restrict access to your production environment so that it can only be accessed from your corporate office's IP range.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowOnlyCorporateIP",
"Effect": "Deny",
"NotAction": "sts:GetCallerIdentity",
"Resource": "*",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": "192.0.2.0/24"
}
}
}
]
}
In this example, any request that does not originate from the specified IP range is denied. Note the use of NotAction to allow the sts:GetCallerIdentity call, which is often required for tools to identify who is making the request.
Example: Tag-Based Restrictions
You can use tags to enforce compliance. For instance, you could deny the ability to create any resource that does not have a "Project" tag.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RequireProjectTag",
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": "*",
"Condition": {
"StringNotLike": {
"aws:RequestTag/Project": "*"
}
}
}
]
}
This ensures that any EC2 instance created without a "Project" tag will fail to launch. This is a powerful way to enforce cost tracking and resource ownership across your organization.
Scaling SCP Management with Infrastructure as Code (IaC)
As your organization grows, managing SCPs manually via the web console becomes unsustainable. You should treat your SCPs like any other piece of code: store them in a version control system, subject them to peer review, and deploy them using an automated pipeline.
Using Terraform for SCPs
Terraform is an excellent tool for managing SCPs. It allows you to define your policies in HCL (HashiCorp Configuration Language) or JSON, attach them to OUs, and track the state of your organization.
resource "aws_organizations_policy" "deny_region" {
name = "DenyNonUSRegion"
description = "Deny all actions outside of us-east-1"
content = file("policies/deny_region.json")
}
resource "aws_organizations_policy_attachment" "example" {
policy_id = aws_organizations_policy.deny_region.id
target_id = "ou-abcd-1234"
}
By using IaC, you create an audit trail of every change made to your security guardrails. If a policy change causes an issue, you can quickly revert to the previous version. This also enables you to implement a "pull request" workflow where security team members review proposed policy changes before they are applied.
The Role of SCPs in Compliance and Auditing
For organizations in regulated industries, SCPs are not just a best practice; they are a compliance requirement. Auditors frequently look for evidence that organizations have implemented "preventative controls." SCPs provide concrete, machine-readable proof that you are actively preventing unauthorized actions.
When an auditor asks how you prevent data exfiltration, you can point to an SCP that denies the ability to make S3 buckets public. When they ask how you prevent unauthorized resource usage, you can show them your regional restriction policy. Because these policies are enforced at the organization level, they provide a much stronger guarantee than manual processes or periodic scans.
Preparing for an Audit
To prepare for an audit, ensure that:
- All SCPs are clearly documented with their business purpose.
- You have a log of who approved the creation or modification of each SCP.
- You can demonstrate that the SCPs are active and correctly applied to the target OUs.
- You have a process for reviewing and updating these policies to address new threats or business needs.
Troubleshooting Common Issues
Even with the best planning, things can go wrong. Here is a guide to troubleshooting some of the most common SCP issues.
"Why is my user getting an Access Denied error?"
If a user reports an error, the first step is to check CloudTrail. Look for the errorCode field in the event. If it says AccessDenied, check the userIdentity and the requestParameters. If the user has sufficient IAM permissions, the next place to look is the SCPs. Check which OUs the user's account belongs to and review the policies attached to those OUs and any parent OUs.
"I can't see the SCPs in the console."
If you cannot see SCPs, ensure that your organization has "All Features" enabled. If you are using a management account, ensure that your role has the necessary permissions to view organizational policies. If you are a member of a delegated administrator account, ensure that the management account has granted you the necessary permissions to manage policies.
"The policy seems correct, but it's not working."
Check the JSON syntax. A missing comma or a bracket in the wrong place can invalidate the entire policy. Use a JSON validator to check your syntax before attempting to apply the policy. Also, remember that changes to SCPs can take a few minutes to propagate across your entire organization. Be patient after applying a change.
Callout: The Power of Delegated Administration You don't have to use the root account to manage your organization. You can delegate organizational management tasks to a specific member account. This follows the security principle of keeping your root account as clean and unused as possible. Delegate SCP management to a "Security" or "Governance" account to improve your overall security posture.
Summary: Key Takeaways for Success
Service Control Policies are the cornerstone of a secure, governed cloud environment. By acting as a global guardrail, they allow you to maintain control even as your organization scales. Here are the key takeaways to remember:
- SCPs are Boundaries, Not Permissions: They define what is not allowed. They cannot be used to grant access, only to restrict it.
- Deny by Default: Always remember that if something is not explicitly allowed, it is denied. SCPs add an extra layer of "Explicit Deny" that overrides local permissions.
- Test in Sandboxes: Never push a new SCP to production without testing it in a safe, isolated environment. The potential for disruption is high.
- Use Infrastructure as Code: Manage your policies through code to enable version control, peer reviews, and automated deployment. This is the only way to manage large-scale environments effectively.
- Start Small and Iterate: Don't try to create a "master" policy that covers everything. Create small, modular policies that are easy to understand and maintain.
- Monitor Your Denials: Use CloudTrail to keep an eye on what your SCPs are blocking. This will help you identify both legitimate business needs you might have accidentally blocked and potential security incidents.
- Document Everything: Treat your SCPs as living documentation. Explain the "why" behind every restriction so that future team members don't accidentally remove a critical security control.
By following these principles, you will be well on your way to building a resilient, secure, and compliant cloud organization. The journey to mastering SCPs is one of continuous learning and refinement, but the result—a secure and predictable environment—is well worth the effort.
Quick Reference: SCP Evaluation Flow
- Step 1: User makes an API request.
- Step 2: IAM checks the user's local policies (Allow/Deny).
- Step 3: SCPs are checked for the account (Allow/Deny).
- Step 4: If an explicit DENY exists in either IAM or SCP, the request is rejected.
- Step 5: If an ALLOW exists in both IAM and SCP, the request is granted.
- Step 6: If no ALLOW exists, the request is rejected by default.
Common Questions (FAQ)
Q: Can I apply an SCP to a specific user? A: No. SCPs are applied to organizational units (OUs) or accounts, not individual users or roles. If you need to restrict a specific user, use an IAM policy or a permission boundary.
Q: How long does it take for an SCP change to take effect? A: Changes to SCPs are usually effective almost immediately, but they can take a few minutes to propagate across all regions and accounts in your organization.
Q: Does an SCP affect the management account? A: Yes, SCPs apply to all accounts in the organization, including the management account. Be extremely careful when applying policies that could lock out the management account.
Q: What happens if I attach multiple SCPs to an OU? A: All SCPs attached to an OU are evaluated. If any one of those policies denies an action, the action is denied. All policies must essentially "agree" to allow an action for it to be permitted.
Q: Can I use SCPs to restrict access to non-AWS services? A: No. SCPs only control actions against AWS services and APIs. They have no visibility or control over third-party applications running within your cloud instances.
Enjoying the courses?
Everything stays free. Pro shows fewer ads, doubles your daily points limit so you progress twice as fast, and lets you read each lesson on one page.
- ✓ Fewer advertisements
- ✓ 2× daily points limit
- ✓ Distraction-free lessons