Home

Awesome

Service Control Policy examples


The service control policies in this repository are shown as examples. You should not attach SCPs without thoroughly testing the impact that the policy has on accounts. Once you have a policy ready that you would like to implement, we recommend testing in a separate organization or OU that can be represent your production environment. Once tested, you should deploy changes to more specific OUs and then slowly deploy the changes to broader and broader OUs over time.

Service control policies (SCPs) are meant to be used as coarse-grained guardrails, and they don’t directly grant access. The administrator must still attach identity-based or resource-based policies to IAM principals or resources in your accounts to actually grant permissions. The effective permissions are the logical intersection between what is allowed by the SCP and what is allowed by the IAM and resource-based policies. You can get more details about SCP effects on permissions here.

A Service control policy (SCP), when attached to an AWS organization, organization unit or an account offers a central control over the maximum available permissions for all accounts in your organization, organization unit or an account. As an SCP can be applied at multiple levels in an AWS organization, understanding how SCPs are evaluated can help you write SCPs that yield the right outcome. For in depth look at how to get more out of SCPs, visit blog.

We recommend that you organize accounts using OUs based on function, compliance requirements, or a common set of controls rather than mirroring your organization’s reporting structure. For more details, reference: Design principles for your multi-account strategy. If you are getting started with setting up your AWS Organizations organization, we recommend watching Morgan Stanley and Inter & Co. showcase their AWS Organization and SCP evolution journey and lessons learnt along the way.

This repository


The example policies are divided into different categories based on the type of control. These examples do not represent a complete list and are intended for you to tailor and extend to suit the needs of your environment.

Note : The SCP examples in this repository use a deny list strategy, which means that you also need a FullAWSAccess policy or other policy that allows access attached to your AWS Organizations organization entities to allow actions. You still also need to grant appropriate permissions to your principals by using identity-based or resource-based policies.

Top SCPs to get started with


If you are just starting to implement SCPs in your environment, consider top 5 recommended SCPs.

Documentation links


Security

See CONTRIBUTING for more information.

License

This library is licensed under the MIT-0 License. See the LICENSE file.