Add an AWS Service Control Policy

Follow

Add an AWS Service Control Policy

AWS Service Control Policies (SCPs) must be turned on within AWS in order for them to take effect. If you add SCPs to Kion but they are turned off in the AWS console, we will send a notification every 48 hours to remind you that SCPs are not enabled for your organization.

To add an AWS SCP:

  1. Navigate to Cloud Management > AWS Service Control Policies.
  2. Click Add New+.
  3. In the AWS Service Control Policy Name field, enter a name to identify the SCP throughout the application. This field must be unique among SCPs.
  4. In the AWS Service Control Policy field, enter or paste a valid AWS Service Control Policy.
  5. Toggle Format to ON to align the braces. You can also click View Supported Parameters to view the supported parameters and Hide Supported Parameters to hide them.
  6. Select at least one user or user group as the policy owner. Owners are given all relevant permissions associated with the owner role. You can read about this in our Ownership of Objects article.
  7. Click Create Service Control Policy. Once the SCP is saved, it will be validated with AWS.

Clone an IAM Policy as a Service Control Policy

You can clone an AWS IAM policy and convert it into a service control policy. This conversion makes it easy to scale essential compliance measures from IAM policies for singular roles to service control policies that affect the whole account.

To clone an IAM policy as a service control policy:

  1. Navigate to Cloud Management > AWS IAM Policies.
  2. Next to the IAM policy you would like to convert, click the ellipsis menu and select Clone as SCP.
  3. (Optional) Modify the policy name, description, and JSON.
  4. Select at least one user or user group as the policy owner.
  5. Click Create Service Control Policy.