What is an AWS Service Control Policy?

Follow

What is an AWS Service Control Policy?

An AWS Service Control Policy (SCP) is a way to allow or deny users to perform certain actions in an AWS account. It's a best practice to only provide users with enough access to perform their jobs (this is known as the Principle of Least Privilege), and SCPs help you to accomplish that in your AWS accounts.

AWS Service Control Policies (SCPs) must be turned on within AWS in order for them to take effect. Please note: SCPs and their associated settings are hidden for those running Kion in AWS high side since SCPs are not available for these customers.

Different types of policies in AWS often overlap. AWS IAM policies, AWS SCPs, and permissions boundaries all control an entity's (i.e. a user, user group, or role) permissions. To learn more about this, see the What is a Permissions Boundary? article. You can also learn more about SCPs in the AWS Service Control Policies documentation.

Using SCPs in Kion

In order to use SCPs within the AWS console, you need highly privileged access to the root of your organization (i.e. your billing account, or what we call your management account).

Kion helps you create, manage, and apply SCPs with ease. Using Kion, you'll follow these steps to apply your SCPs to any account, including multiple management accounts:

  1. Apply the SCP to a cloud rule.
  2. Attach the cloud rule to a project or OU that is associated with the account. For more information, see Managing Cloud Rules on Resources.
  3. The SCP will now apply to the entire account. Cloud rule exemptions will apply as usual.

When you need to make a change, you can easily update the SCP in one place, and Kion will modify it in all of your accounts via your cloud rules. Plus, you'll enjoy greater visibility into which SCPs are applied across your organization.

Should I use an SCP or an IAM policy?

While SCPs accomplish a similar goal to IAM policies, they differ in a few key ways, which can help you determine which is right for your situation:

  • IAM policies allow you more control to grant granular permissions to individual users.
  • SCPs allow you to apply enforcements at a higher level that will apply to all users. With IAM policies, you could potentially get around restrictions by creating a new user in the AWS console to which the IAM policy does not apply. An SCP would apply account-wide, so there is no risk of that.

If you have an IAM policy that you would like to extend to your entire account, you can easily clone it and convert it into a service control policy. For more information, see Add an AWS Service Control Policy.