SCP is just like any other policy in AWS with  couple of important distinctions. The two relevant attributes are action and resource.  

For an SCP, the resource can only be * (all resources within the specified service). Action is the actual service - e.g. S3, dynamodb or all services (asterisk).

ALLOW all accounts access to ALL services

So, if you wanted to ALLOW accounts within the organization to have access to all services, a simple SCP may look like

 

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowsAllActions", "Effect": "Allow", "Action": "*", "Resource": "*" }

DENY access to EC2 resources

{ "Version": "2012-10-17", "Statement": [ { "Sid": "DenyS3", "Effect": "Deny", "Action": "ec2:*", "Resource": "*" }

ALLOW RESTRICTIONS
  • An Allow statement in an SCP can't have a Resource element with anything except a "*".
  • An Allow statement in an SCP can't have a Condition element at all.

Summary

That's it - SCPs are an easy way to apply allow / deny policies across multiple accounts. They look just like IAM or Resource policies - with a few key differences (what is allowed as resource values).

Next Steps?

Need help with your Terraform or PowerShell or other automation effort? Set up a free consultation - Start the conversation today.