AWS Organizations Service Control Policy – SCPs

AWS Organizations Service Control Policy
AWS Organizations Service Control Policies – SCPs provide central control over the maximum permissions available to all accounts in your organization. This ensures that member accounts remain within the organization’s access control guidelines.
These policies are one type of policy that can be used to manage an organization.
These features are only available to organizations that have enabled all features. They aren’t available to organizations that have enabled only consolidated billing.
They are not sufficient to grant access to accounts within the organization.
This guardrail defines the actions that accounts can take within the organization root, OU. However, IAM policies must be attached to accounts users and roles to allow permissions to be granted to them.
Effective permissions are the logical intersection of what is allowed under the SCP and what can be done by the IAM or resource-based policies.
With an SCP attached member accounts, identity-based or resource-based policies give permissions to entities only if they are allowed to take the action by those policies and the SCP
They don’t have any effect on users or roles within the management account. They only affect the member accounts of your organization.
Never grant permissions, but set the maximum permissions for affected accounts.
Users and roles need to still be granted permissions using the appropriate IAM permission policies. An IAM permission policy-less user cannot access any services or perform any actions, regardless of whether the relevant SCPs allow it.
Limits permissions for entities in member account, including each AWS root user.
The master account can perform all actions.
This does not affect any service-linked roles. AWS service-linked roles allow other AWS services to integrate and work with AWS Organizations. They are not subject to SCP restrictions.
Only IAM users and roles that are managed by accounts within the organization will be affected. They don’t affect accounts from outside the organization.
SCPs Strategies
An SCP called FullAWSAccess is automatically attached to each root, OU and account. This allows all actions and all services.
Blacklisting or Deny Strategyactions will be allowed by default. Services and actions that are to be prohibited must be specified.
Blacklist permissions can be granted using deny statements in combination with the default FullAWSAccess SCCP.
SCPs that use deny statements in them require less maintenance, as they don’t need updating when AWS adds new services.
Deny statements use less space than other statements, making it easier for you to keep within the SCP size limits.
Whitelisting or Allow Strategyactions is prohibited by default. You can specify which services and actions you allow.
Whitelist permissions can also be granted by removing the FullAWSAccess SCP default.
Allows SCP to explicitly allow only the allowed actions and servicesSCPs Testing Effects
SCPs should not be attached to the root organization without testing the impact on accounts.
To ensure that users aren’t locked out of key services, create an OU where accounts can be moved to one at a given time or in small numbers. AWS Certification Exam Practice questions
Questions are collected via the Internet. The answers are marked according to my knowledge and understanding (which may differ from yours).
AWS services are constantly updated and the answers and questions may be out of date soon. So make sure to research accordingly.
AWS exam questions cannot be updated to keep up with AWS updates. This means that even if the underlying feature has been changed, the question may not be updated.
Your company plans to set up multiple accounts in AWS. IT Security has a requirement that certain services and actions be restricted to all accounts. How would the system work?