Breaking News: Grepper is joining You.com. Read the official announcement!
Check it out

SCPs

Pragya Keshap answered on February 21, 2023 Popularity 1/10 Helpfulness 1/10

Contents


More Related Answers

  • scp wiki
  • what is fips

  • SCPs

    0

    An Service Control Policy defines the AWS service actions, such running EC2 Instances, that are available for use in different accounts within an organization.

    In order to use SCP your Organization must have All-Features enabled.

    It is worth remembering that SCP do not grant permissions!, they control the maximum available permissions, they set a boundary of permission.

    SCP affect principals managed by your accounts in your organisation, they do not affect resource-based policies.

    Remember that SCP are guard-rails to the what is permitted by IAM User and Role Policies (see previous post about IAM for more info).

    By default AWS Organizations cascades a FullAWSAccess policy to every OU and account ( meaning that no particular boundary is applied). Organisations uses Deny List strategy - therefore if you want to set a boundary on some permissions you need to

    add an explicit Deny List in whatever point of the hierarchy (root, OUs and individual accounts).

    It is possible though to remove the FullAWSAccess and therefore having a Allow List strategy.

    This means that you have to create SCPs to allow permissions and attach them to every account and every OU above it.

    Popularity 1/10 Helpfulness 1/10 Language whatever
    Source: Grepper
    Tags: whatever
    Link to this answer
    Share Copy Link
    Contributed on Feb 21 2023
    Pragya Keshap
    0 Answers  Avg Quality 2/10


    X

    Continue with Google

    By continuing, I agree that I have read and agree to Greppers's Terms of Service and Privacy Policy.
    X
    Grepper Account Login Required

    Oops, You will need to install Grepper and log-in to perform this action.