Service Control Policies
Complete the full lesson to earn 25 points
Work through each section, then tap “Mark as Complete” on the last one.
Understanding Service Control Policies (SCPs) in AWS
Introduction: The Foundation of Guardrails
In the modern landscape of cloud computing, managing permissions across hundreds or even thousands of accounts is a complex undertaking. While standard Identity and Access Management (IAM) policies allow you to define what a specific user or role can do, they often struggle to provide a "hard limit" that applies to everyone within an organization. This is where Service Control Policies (SCPs) come into play. SCPs act as the foundational guardrails for your cloud environment, defining the maximum permissions that any account within your organization can possess.
Think of an IAM policy as a specific set of instructions for an individual employee on what they are allowed to touch in a filing cabinet. An SCP, by contrast, is the lock on the room that contains all the filing cabinets. Even if the employee has a key to a specific drawer (via an IAM policy), if the room itself is locked by an SCP, they cannot access the contents. Understanding this distinction is vital because it changes how you approach security architecture. Instead of relying solely on "least privilege" for individual users, you can establish global boundaries that prevent accidental or malicious actions from ever occurring, regardless of the permissions granted to a user.
Why does this matter? As organizations grow, the risk of "permission creep" increases. Developers might accidentally create public S3 buckets, launch expensive resources in unauthorized regions, or inadvertently disable security logging. SCPs ensure that even if an administrator creates a policy granting full access to an IAM user, the SCP will step in to block actions that violate your organizational safety standards. This lesson will dive deep into how these policies function, how to write them effectively, and how to manage them within a multi-account environment.
The Architecture of SCPs
To understand SCPs, you must first understand the AWS Organizations structure. AWS Organizations allows you to group accounts into Organizational Units (OUs). SCPs are applied at the root, at an OU level, or directly to an individual account. When you attach an SCP to an OU, every account within that OU inherits the policy. This hierarchical inheritance is the core strength of SCPs.
How Policy Evaluation Works
The evaluation logic for SCPs is strictly "deny-first." This means that an action is only allowed if it is explicitly allowed by both the SCP and the IAM policy, and it is not explicitly denied by either. If an SCP denies an action, no IAM policy in the world can override that denial. This is a powerful mechanism for centralized control.
Callout: IAM Policies vs. SCPs While both use the JSON-based policy language, they serve different purposes. IAM policies define permissions for identities (users, groups, roles). SCPs define the maximum permissions available to an account. An IAM policy can never grant more access than what the SCP allows. If an SCP denies access to
s3:DeleteBucket, that action is impossible in the account, even for the root user.
The Two Types of SCPs
There are two primary modes for managing SCPs: the "Allow List" strategy and the "Deny List" strategy.
- Deny List Strategy: In this approach, you allow all actions by default (using a "FullAWSAccess" policy) and add specific SCPs to deny access to certain services or actions. This is the most common starting point because it is less likely to break existing workloads.
- Allow List Strategy: This is a more restrictive approach. You create policies that only allow specific services or actions and implicitly deny everything else. This provides the highest level of security but requires a deep understanding of your infrastructure, as it can easily disrupt automated processes and service-to-service communication.
Writing and Implementing SCPs
Writing an SCP requires familiarity with the AWS policy language. The structure is nearly identical to IAM policies, consisting of Version, Statement, Effect, Action, and Condition blocks. However, there are some unique nuances when dealing with SCPs.
Example 1: Restricting Regions
One of the most frequent use cases for SCPs is preventing users from launching resources in unauthorized geographic regions. This is useful for data residency compliance or cost management.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyAllRegionsExceptUS",
"Effect": "Deny",
"NotAction": [
"iam:*",
"support:*",
"organizations:*",
"route53:*"
],
"Resource": "*",
"Condition": {
"StringNotEquals": {
"aws:RequestedRegion": [
"us-east-1",
"us-west-2"
]
}
}
}
]
}
Explanation of the Code:
- Sid: A descriptive identifier for the statement.
- Effect: Set to
Denyto block the action. - NotAction: This is crucial. We exclude global services (IAM, Support, Organizations) because they do not operate within a specific region. If you denied these, you would effectively lock yourself out of managing the account.
- Condition: The
aws:RequestedRegionkey checks where the request is being made. If it is not in the specified list, theDenyeffect triggers.
Example 2: Preventing the Disabling of CloudTrail
Security logging is non-negotiable. You want to ensure that no one, not even an account administrator, can turn off audit logging.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PreventCloudTrailTampering",
"Effect": "Deny",
"Action": [
"cloudtrail:StopLogging",
"cloudtrail:DeleteTrail",
"cloudtrail:UpdateTrail"
],
"Resource": "*"
}
]
}
Warning: The "Lockout" Risk When writing SCPs, always test in a sandbox or a non-production OU first. If you write an SCP that denies
iam:CreateRoleoriam:PutRolePolicywithout careful consideration, you might prevent your own administrative accounts from managing permissions, making it impossible to fix the policy without contacting root-level support.
Step-by-Step Implementation Guide
Implementing SCPs is a process that requires careful planning. Follow these steps to ensure a smooth deployment.
Step 1: Enable All Features in AWS Organizations
Before you can use SCPs, you must ensure that your organization has "All Features" enabled rather than just "Consolidated Billing."
- Log into the AWS Management Console as the organization's management account.
- Navigate to the AWS Organizations dashboard.
- Click on Settings and ensure the feature set is set to All Features.
Step 2: Create the Policy
- In the Organizations dashboard, select Policies from the left-hand menu.
- Select Service control policies and click Create policy.
- Give your policy a name and a meaningful description.
- Paste your JSON policy into the editor.
- Save the policy.
Step 3: Attach the Policy
- Select the policy you just created.
- Click the Targets tab.
- Choose the OU or specific account where you want to apply the policy.
- Click Attach.
Step 4: Verification
Always test the policy. Attempt to perform an action that the policy should block. For example, if you restricted a region, try to launch an EC2 instance in a forbidden region. You should receive an "Access Denied" error message.
Best Practices for SCP Management
Managing SCPs is not a "set it and forget it" task. As your organization evolves, your policies will need to be updated.
1. Start with the "Deny List"
As mentioned earlier, the Deny List strategy is the safest starting point. It allows you to introduce guardrails without blocking legitimate business operations. Once you are comfortable with the environment, you can migrate to more restrictive policies.
2. Use Descriptive SIDs
Since you will likely have multiple SCPs, using clear Sid (Statement IDs) is essential for troubleshooting. When a user gets an "Access Denied" error, the error message will often reference the policy ID and sometimes the statement ID, making it much easier to identify which rule caused the block.
3. Keep Policies Small and Modular
Instead of one massive, monolithic SCP that covers every possible restriction, break your policies into functional areas.
- Security SCPs: Policies that protect logging and monitoring.
- Compliance SCPs: Policies that enforce region restrictions or encryption requirements.
- Cost Management SCPs: Policies that restrict the use of expensive instance types. This modularity makes it easier to test, update, and audit your policies.
4. Implement a "Break-Glass" Procedure
Always maintain a way to bypass or temporarily disable an SCP in an emergency. This usually involves having a specific "Management OU" that is exempt from the most restrictive SCPs, where a highly privileged, break-glass account resides.
5. Version Control
Treat your SCPs like code. Store them in a Git repository. This allows you to track changes, peer-review policies before they are pushed to production, and roll back to a previous state if an update causes an unexpected issue.
Comparison of Control Mechanisms
It is helpful to visualize where SCPs fit in the broader security landscape.
| Feature | SCP | IAM Policy | Permission Boundary |
|---|---|---|---|
| Scope | Account/OU/Org | User/Role | User/Role |
| Primary Use | Global Guardrails | Fine-grained access | Delegated administration |
| Evaluation | Deny-first | Deny-first | Intersection |
| Managed by | Org Admin | Account Admin | Account Admin |
Callout: Understanding Permission Boundaries A permission boundary is another way to restrict permissions, but it operates differently than an SCP. A boundary is a policy attached to an IAM identity that sets the maximum permissions that identity can ever have. While an SCP sets a ceiling for the account, a boundary sets a ceiling for a specific user or role. They are often used together to allow developers to create their own roles without giving them the power to grant themselves administrative access.
Common Pitfalls and Troubleshooting
Even experienced architects run into issues with SCPs. Here are the most frequent mistakes and how to avoid them.
The "Global Service" Trap
Many developers forget that global services like IAM, Route 53, and CloudFront do not have a "region." If you write a blanket "Deny all actions not in us-east-1" policy, you will inadvertently block these services, which will break almost everything in your account. Always use the NotAction block for global services or ensure your Condition block explicitly accounts for them.
Denying the "Organizations" Service
If you create an SCP that denies organizations:* actions, you might find yourself unable to manage the organization itself from within that account. While SCPs generally do not block the management account from modifying the SCPs, applying a broad deny policy to an OU that includes the management account can lead to circular dependencies.
Ignoring the "FullAWSAccess" Policy
When you first enable SCPs, AWS provides a default policy called FullAWSAccess. This policy is an "allow all" rule. If you do not attach this policy to your OUs or accounts, the default behavior of an account with no SCPs is to allow all actions. However, the moment you attach any SCP to an OU, you must ensure that the FullAWSAccess policy (or an equivalent allow-all policy) is also attached, or you will effectively deny everything by default.
Troubleshooting Steps
If a user is denied access, follow this logical flow:
- Check the IAM Policy: Does the user's role have the necessary permissions?
- Check the Permission Boundary: Is there a boundary restricting the user's role?
- Check the SCP: Is there an SCP attached to the account or the OU that denies the action?
- Check the Organization: Is the policy actually attached to the correct target?
Tip: You can use the "IAM Policy Simulator" to test if an IAM policy allows an action, but remember that the simulator does not always account for SCPs. For SCP troubleshooting, rely on the CloudTrail logs. When an action is denied by an SCP, the CloudTrail event will clearly show the "ErrorCode: AccessDenied" and often point to the policy responsible.
Advanced Topics: Condition Keys and Tags
Beyond simple Deny actions, you can use Condition keys to create highly nuanced policies. For example, you can allow a user to launch an EC2 instance only if they use a specific tag.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EnforceTagging",
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": "*",
"Condition": {
"StringNotLike": {
"aws:RequestTag/Project": "*"
}
}
}
]
}
In this example, the SCP denies the ec2:RunInstances action if the request does not include a tag with the key Project. This is a powerful way to enforce governance standards across an entire organization without having to manually check every resource.
Automating Policy Deployment
As your organization scales, manual attachment of SCPs becomes unsustainable. You should look into using Infrastructure as Code (IaC) tools like Terraform or AWS CloudFormation. By defining your SCPs in code, you can automate the deployment across multiple OUs, ensure consistency, and maintain a clear audit trail of who changed what and when.
The Role of SCPs in Compliance
For regulated industries (finance, healthcare, government), SCPs are not just a "nice to have"—they are a requirement for compliance. Frameworks like PCI-DSS, HIPAA, and SOC2 often require strict controls over data residency, logging, and encryption.
- Encryption Enforcement: You can write an SCP that denies the creation of an EBS volume or S3 bucket unless the request specifies an encryption key.
- Data Residency: As shown in the previous example, you can enforce that data never leaves a specific geographic region.
- Public Access Blocks: You can globally deny the
s3:PutBucketPublicAccessBlockaction to ensure that no S3 bucket can ever be made public, regardless of what a user tries to configure.
By hard-coding these requirements into your SCPs, you provide "continuous compliance." Instead of periodic audits where you hope your teams are following the rules, you have a system that makes it technically impossible to deviate from the policy.
Summary of Key Takeaways
Service Control Policies represent the most powerful tool in the AWS administrator's toolkit for maintaining control over a multi-account environment. By mastering them, you shift your security posture from reactive to proactive.
- SCPs define the "Maximum Permissions": They act as the upper bound for what any identity within an account can do. They cannot grant access, only restrict it.
- The Deny-First Logic: Any explicit
Denyin an SCP will override anyAllowin an IAM policy. This is the bedrock of the "guardrail" philosophy. - Hierarchical Inheritance: SCPs applied at the Root or an OU level cascade down to all member accounts, providing centralized oversight and uniform enforcement.
- Start with a Deny List: Begin your implementation by blocking only the most critical risks (like disabling CloudTrail) to avoid accidental service disruptions, then gradually move to more restrictive policies as you gain confidence.
- Use Modular Policies: Group your SCPs by purpose (Security, Compliance, Cost) rather than creating one giant, unmanageable policy.
- Test in Sandboxes: Never deploy an SCP directly to a production OU without verifying the behavior in a test environment. The risk of locking out administrators is real and significant.
- Treat Policies as Code: Use version control and IaC to manage your SCPs. This ensures transparency, peer review, and the ability to roll back changes when things go wrong.
By integrating these practices into your daily operations, you ensure that your cloud environment remains secure, compliant, and cost-effective, even as your organization continues to expand. Remember that the goal of an SCP is to empower your teams to move fast by providing them with a safe, pre-defined sandbox where they cannot accidentally compromise the organization's security.
Enjoying the courses?
Everything stays free. Pro shows fewer ads, doubles your daily points limit so you progress twice as fast, and lets you read each lesson on one page.
- ✓ Fewer advertisements
- ✓ 2× daily points limit
- ✓ Distraction-free lessons