Service Control Policy Essentials
Mohamed El ErakiTable of contents
Inception
Hello everyone, This article is part of The Terraform + AWS series, And it does not depend on any other article, I use this series to publish-out AWS + Terraform Projects & Knowledge.
Overview
Service control policies (SCPs) are a type of organization policy that you can use to manage permissions in your organization. SCPs offer central control over the maximum available permissions for the IAM users and IAM roles in your organization. SCPs help you to ensure your accounts stay within your organization’s access control guidelines.
A service control policy is a policy to manage your AWS Organization/Landing zone environment, By setting SCP’s policies on OU/Account level you can deny specific action to be done in this OU/Account I.e. Deny EC2 creation for any instance type except t2.micro.
Today’s Article will list down the Essentials and considerations while using SCP’s. Meanwhile, will Create a simple SCP policy.
Consideration
SCP policy works besides the IAM Identity policy, roles, permission boundaries, and resource policy and does not replace them, AWS will make a combination of these policies and apply the most restricted policy.
SCP Policy cannot grant permission, Only deny statements.
Can attach to OU/AWS Accounts.
SCP is very similar to the inline policy with JSON format statement.
SCP has the highest level of priority, Followed by permission boundaries, and IAM policies.
SCP default policy has “FullAWSAccess“ which does not deny any by default.
SCP Does not support Principal/NotPrincipal definitions.
SCP support conditions.
SCP policies do not support Define NotResource: You must set a policy for a resource.
A successful secure environment should have the following actions.
Explicit deny: Set a deny policy for all resources.
SCP: Use service control policy to secure your accounts to meet your regulations (i.e. tags, region restriction)
Permission boundary: Use permission boundary to secure the boundary access and the maximum policy privilege (i.e. set a permission boundary for IAM admin requires that attache a permission boundary for all users restrict their MAX policy privileges and set a statement for deny alter this permission boundary.)
IAM policy: user IAM policy for setting a policy for what the user should access, Or if you have an Identity center linked with AD, use permission set that holds a policy.
Setting up an SCP Policy
There are multiple ways to set an SCP policy (e.g. using control tower console Or AWS Organization console) in this example we gonna user AWS Organization console for simplicity.
Open-up AWS Organization console from the root/management account.
From the lift menu specify Policies, Then Service control policy. Then Create a policy.
Type down the policy name.
In the policy section past the down listed below
{ "Version": "2012-10-17", "Statement": [ { "Sid": "InstanceTypeRestriction", "Effect": "Deny", "Action": [ "ec2:RunInstances" ], "Resource": [ "arn:aws:ec2:*:*:instance/*" ], "Condition": { "StringNotEquals":{ "ec2:InstanceType": "t3.micro" } } } ] }Then Create policy.
Now, Let’s attache this SCP policy to an OU.
Navigate to AWS Accounts, Then specify an OU | Account.
Choose policies, Then attache the crated one.
Resources
That's it, Very straightforward, very fast🚀. Hope this article inspired you and will appreciate your feedback. Thank you
Subscribe to my newsletter
Read articles from Mohamed El Eraki directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
Mohamed El Eraki
Mohamed El Eraki
Cloud & DevOps Engineer, Linux & Windows SysAdmin, PowerShell, Bash, Python Scriptwriter, Passionate about DevOps, Autonomous, and Self-Improvement, being DevOps Expert is my Aim.