Service Control Policies
Complete the full lesson to earn 25 points
Work through each section, then tap “Mark as Complete” on the last one.
Mastering Service Control Policies (SCPs) in AWS
Introduction: The Architecture of Governance at Scale
As organizations grow, the traditional "one account" approach to cloud computing quickly becomes a bottleneck. Managing security, compliance, and billing for a single account is straightforward, but when you scale to dozens or hundreds of AWS accounts, the administrative overhead becomes unsustainable. This is where AWS Organizations comes into play, providing a centralized framework for managing multiple accounts. Within this framework, Service Control Policies (SCPs) serve as the primary mechanism for establishing guardrails across your entire environment.
Service Control Policies are a type of organization policy that you can use to manage permissions in your organization. Think of an SCP as a "permission boundary" for your accounts. While Identity and Access Management (IAM) policies define what a user or role can do, SCPs define what is possible to do within an account, regardless of the permissions assigned to the users inside that account. Even if an administrator has full AdministratorAccess within a member account, they cannot bypass the restrictions set by an SCP applied to that account.
Understanding SCPs is critical for any cloud architect or security engineer because they provide the "deny-by-default" governance model required in regulated industries. Whether you need to prevent developers from launching expensive instances in unauthorized regions, ensure that logging services like CloudTrail are never disabled, or restrict the use of specific services to maintain compliance, SCPs are your most powerful tool. This lesson will guide you through the theory, implementation, and operational best practices for managing complex multi-account environments using SCPs.
The Mechanics of SCPs: How They Function
To work effectively with SCPs, you must first understand the evaluation logic of the AWS policy engine. SCPs do not grant permissions; they only restrict them. When you attach an SCP to an Organizational Unit (OU) or an individual account, it acts as a filter on the effective permissions of the identities within those accounts.
The Permission Filter Logic
When a request is made in an AWS account, the authorization engine checks all applicable policies. For a request to be allowed, the following conditions must be met:
- Explicit Deny: If any policy in the chain (IAM, SCP, Permissions Boundary) explicitly denies the action, the request is blocked.
- Implicit Deny: If there is no explicit allow, the request is denied by default.
- The SCP Intersection: SCPs act as a ceiling. If an IAM policy allows an action, but an SCP denies it, the action is denied. If an IAM policy denies an action, it remains denied regardless of the SCP.
Callout: The "Guardrail" Analogy Think of IAM policies as the "driver" of a car—they decide where the car goes and what speed it travels. Think of an SCP as the "speed governor" installed by the car manufacturer. Even if the driver presses the gas pedal to the floor (full IAM permissions), the car will never exceed the speed set by the governor (the SCP). This distinction is vital for maintaining security in decentralized environments.
Policy Structure
An SCP looks very similar to an IAM policy. It uses JSON syntax and consists of a Version, an Id, and a Statement array. Each statement contains an Effect (Allow or Deny), Action (the API calls being restricted), and Resource (the AWS entities being targeted).
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RestrictRegionAccess",
"Effect": "Deny",
"Action": [
"ec2:RunInstances"
],
"Resource": "*",
"Condition": {
"StringNotEquals": {
"aws:RequestedRegion": [
"us-east-1",
"us-west-2"
]
}
}
}
]
}
In the example above, we are restricting the ability to launch EC2 instances to only two specific regions. Any attempt to launch an instance in eu-central-1 or any other region will be blocked, even if the user has ec2:* permissions in their local IAM policy.
Implementing SCPs: A Step-by-Step Guide
Deploying SCPs in a production environment should never be done in a "big bang" fashion. Because SCPs can inadvertently break critical infrastructure, you must follow a disciplined deployment process.
Step 1: Enable All Features in AWS Organizations
Before you can use SCPs, your organization must be in "All Features" mode. If you are currently in "Consolidated Billing" mode, you will need to initiate the upgrade process, which requires an invitation acceptance from every member account.
Step 2: Create a Sandbox OU
Never test SCPs directly on your production Organizational Units. Create a dedicated "Sandbox" or "Testing" OU. Move a non-production account into this OU to verify the policy behavior before applying it to your core business accounts.
Step 3: Authoring and Attaching the Policy
- Navigate to the AWS Organizations console.
- Select Policies from the left-hand navigation pane.
- Choose Service Control Policies.
- Click Create policy, provide a name and description, and input your JSON policy document.
- Once created, go to the AWS Accounts tab, select the target OU, and click Attach.
Step 4: Monitoring and Iteration
Use AWS CloudTrail to monitor for AccessDenied errors immediately after attaching a policy. If you see a spike in errors, check the event details to determine if your SCP is blocking a legitimate service request. Use the "Dry Run" capabilities or test the policy in a restricted environment first.
Practical Scenarios and Policy Examples
The true power of SCPs lies in their ability to enforce organizational standards across hundreds of accounts simultaneously. Below are common scenarios encountered by cloud architects.
Scenario 1: Preventing the Disabling of CloudTrail
In a regulated environment, you must ensure that audit logs cannot be tampered with. You can use an SCP to deny any attempt to stop or delete CloudTrail trails.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ProtectCloudTrail",
"Effect": "Deny",
"Action": [
"cloudtrail:StopLogging",
"cloudtrail:DeleteTrail",
"cloudtrail:UpdateTrail"
],
"Resource": "*"
}
]
}
Why this matters: Even if an attacker gains administrative credentials to a member account, they cannot hide their tracks by disabling logging.
Scenario 2: Enforcing Mandatory Tags
If you have a strict cost-allocation policy, you can force users to include specific tags when creating resources. While this is often done via IAM, an SCP acts as a final safety net to ensure compliance.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RequireCostCenterTag",
"Effect": "Deny",
"Action": [
"ec2:RunInstances"
],
"Resource": "*",
"Condition": {
"Null": {
"aws:RequestTag/CostCenter": "true"
}
}
}
]
}
Warning: Complexity Trap Be extremely careful when using
Denypolicies with conditions. If you create an overly complex policy, you might inadvertently block yourself out of essential management tasks. Always include an "escape hatch" by excluding your administrative role or a specific "break-glass" role from the policy restriction.
Best Practices for Managing SCPs
Managing SCPs is not just about writing JSON; it is about managing the lifecycle of your governance model. Follow these industry-standard practices to maintain a healthy environment.
1. Start with "FullAWSAccess"
By default, the root of your organization has a policy called FullAWSAccess. Do not delete this policy. Instead, create new, more restrictive policies and attach them to specific OUs. This ensures that you have a clear path to revert changes if something goes wrong.
2. Use a Hierarchical Strategy
Structure your AWS Organizations OUs by environment (e.g., Production, Staging, Development) or by business function. Apply broad, permissive SCPs at the root and apply increasingly restrictive SCPs as you move down the OU tree. This "inheritance" model makes it easier to manage security posture.
3. Document Every Policy
An undocumented SCP is a ticking time bomb. When a developer gets an AccessDenied error six months from now, they need to know why. Maintain a central repository (like a Git repository) that stores your SCP JSON files, along with documentation explaining the intent, the target accounts, and the contact person for that policy.
4. Implement "Break-Glass" Provisions
Always ensure that your core administrative roles (e.g., your IAM roles used by the Cloud Engineering team) are exempted from SCPs. You can do this by using the aws:PrincipalArn or aws:PrincipalTag condition keys to exclude your trusted administrative identities from the Deny statements.
| Strategy | Benefit | Risk |
|---|---|---|
| Broad Application | High security consistency | Potential for operational disruption |
| Targeted Application | Low impact on teams | Increased management complexity |
| Deny-Only Approach | Simplifies logic | Does not prevent new services |
Common Pitfalls and How to Avoid Them
Even experienced architects fall into traps when working with SCPs. Recognizing these early will save you significant debugging time.
The "FullAWSAccess" Misconception
Many users mistakenly believe they need to modify the FullAWSAccess policy to restrict permissions. You should never modify this policy. Treat it as the baseline that allows everything. Your goal is to create additional policies that restrict specific actions, and then attach those to the appropriate OUs.
Neglecting the 5,120 Character Limit
SCPs have a maximum size of 5,120 characters. If you try to create a single, "God-mode" SCP that covers every possible restriction, you will hit this limit quickly. Instead, break your SCPs into modular policies based on their function (e.g., RestrictRegions, EnforceTagging, DisableServices).
Blocking the Root User
Be very careful when denying actions. If you accidentally deny iam:* or organizations:* for the root user or your primary administrative role, you could potentially lock yourself out of the organization. Always test these policies in a separate, isolated test organization before applying them to your production accounts.
Callout: The "Root" Sensitivity Remember that SCPs apply to all accounts, including the management account (formerly known as the master account). Applying a restrictive SCP to the root of your organization impacts every single account. Always use the OU structure to isolate changes to a subset of accounts first.
Advanced Troubleshooting: The AccessDenied Mystery
When a user reports an AccessDenied error, the first instinct is to check the IAM policy. However, in a multi-account environment, the IAM policy is only half the story. Here is a systematic approach to troubleshooting:
- Check the CloudTrail Event: Look at the
errorCodeanderrorMessagefields. If the error mentions an SCP, the message will explicitly state that the request was denied by an organization policy. - Review OU Inheritance: Use the AWS Organizations console to view the list of policies attached to the account and all parent OUs. Remember that policies are applied cumulatively; an
Allowin one place cannot override aDenyin another. - Analyze the JSON Logic: Double-check the
Conditionblocks. Often, a policy is working exactly as intended, but the condition is too restrictive (e.g., it only allows access from a specific IP range that has changed). - Use IAM Policy Simulator: While the simulator is excellent for IAM, it does not fully replicate SCP behavior. Use it to rule out local IAM issues first, then move to manual inspection of SCPs if the simulator shows "Allowed" but the request still fails.
The Role of SCPs in Compliance and Auditing
For organizations operating under frameworks like SOC2, HIPAA, or PCI-DSS, SCPs are not just a "nice to have"—they are a requirement for "preventative controls." Auditors look for evidence that you have technical guardrails in place to prevent unauthorized changes to security infrastructure.
By using SCPs, you can provide a clear, JSON-based audit trail of your governance model. You can demonstrate that it is technically impossible for a user to disable security logging or create resources in unauthorized geographic regions. This reduces the burden of manual audits and allows your security team to focus on proactive threat hunting rather than reactive policy enforcement.
Automating SCP Deployment
As your environment grows, you should move away from manual console configuration. Treat your SCPs as Infrastructure as Code (IaC). Use tools like Terraform or AWS CloudFormation to manage your SCPs. This allows you to:
- Version control your policies in Git.
- Peer-review policy changes before they are deployed.
- Roll back to previous versions if a policy causes an outage.
- Deploy policies consistently across multiple AWS Organizations (if using multiple organizations for different business units).
Summary and Key Takeaways
Service Control Policies are the bedrock of AWS multi-account governance. By mastering these policies, you shift from a reactive security posture to a proactive, "secure by design" architecture. Here are the essential takeaways from this lesson:
- SCPs are Guardrails, Not Permissions: They act as a ceiling for permissions. They can only deny, never grant. Any action must be allowed by both an IAM policy and an SCP to succeed.
- The "Deny-by-Default" Principle: Use SCPs to enforce strict compliance by denying non-compliant actions globally. This ensures that even accidental misconfigurations by users cannot lead to security breaches.
- Modularize Your Policies: Due to the 5,120-character limit, break your policies into small, focused, and reusable modules. This makes them easier to manage, test, and troubleshoot.
- Hierarchy is Your Friend: Leverage the OU structure to apply policies at the appropriate level. Test changes in a sandbox OU before rolling them out to production environments.
- Governance as Code: Store your SCPs in a version-controlled repository. Use CI/CD pipelines to deploy and update your policies, ensuring that you have a clear history of who changed what and why.
- Avoid Hardcoding: Where possible, use policy variables and conditions to make your SCPs flexible. However, keep the logic simple to ensure that the policy is readable and easy to maintain.
- Always Include an Escape Hatch: Protect your administrative roles from being locked out by your own policies. A well-designed SCP environment should always provide a way for the "break-glass" administrator to intervene in an emergency.
By following these principles, you will be able to build a robust, scalable, and secure AWS environment that can grow with your organization's needs. Remember that effective governance is an ongoing process of iteration, monitoring, and refinement. Start small, test thoroughly, and always keep the principle of least privilege at the center of your design.
Enjoying the courses?
Everything stays free. Pro shows fewer ads, doubles your daily points limit so you progress twice as fast, and lets you read each lesson on one page.
- ✓ Fewer advertisements
- ✓ 2× daily points limit
- ✓ Distraction-free lessons