Скачать или смотреть Service Control Policy (SCPs): 6 Things You Have To Know | AWS

Service Control Policies or SCPs are a type of organization policy that allows you to manage permissions in your organization.

Hi Guys, this is Abi from GokceDB and in this video you are going to learn 6 things about SCPs in AWS Organizations. Let's get into it.

1. SCPs offer central control over the maximum available permissions for all accounts in your organization. They are used to create mandatory controls at the account level, rather than relying solely on permissions granted through individual IAM policies.

2. SCPs are typically used in organizations with multiple AWS accounts to manage and enforce centralized policies that apply to all of their accounts. By defining SCPs, admins can restrict the actions that can be taken in AWS accounts and services thereby ensuring compliance with organizational policies and regulations.

3. No permissions are actually granted by an SCP. An SCP defines a guardrail on the actions that the account's admin can delegate to the IAM users and roles in the affected accounts.

4. SCPs don't affect users or roles in the management account. They only affect the member accounts in your organization.

5. SCPs take precedence over IAM policies. This means that if an SCP denies access to a specific AWS service or action, then no IAM entity within that account can perform that action, even if they have an IAM policy that explicitly grants access to it.

6. Let's look at an example of an SCP. Say you wanted to prevent member accounts from leaving the organization. To do that, you can simply create a JSON policy with the action of LeaveOrganization and with an effect of Deny for all resources.

In summary, SCPs provide an effective way to manage access to AWS services and resources within an organization by setting clear boundaries and constraints on what IAM entities can and cannot do.