SCPs in AWS – A quick intro
SCP is just like any other policy in AWS with couple of important distinctions. The two relevant attributes are action and resource.
For an SCP, the resource can only be * (all resources within the specified service). Action is the actual service - e.g. S3, dynamodb or all services (asterisk).
ALLOW all accounts access to ALL services
So, if you wanted to ALLOW accounts within the organization to have access to all services, a simple SCP may look like
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowsAllActions", "Effect": "Allow", "Action": "*", "Resource": "*" }
DENY access to EC2 resources
{ "Version": "2012-10-17", "Statement": [ { "Sid": "DenyS3", "Effect": "Deny", "Action": "ec2:*", "Resource": "*" }
ALLOW RESTRICTIONS
- An
Allow
statement in an SCP can't have aResource
element with anything except a"*"
. - An
Allow
statement in an SCP can't have aCondition
element at all.
Summary
That's it - SCPs are an easy way to apply allow / deny policies across multiple accounts. They look just like IAM or Resource policies - with a few key differences (what is allowed as resource values).
Next Steps?
Need help with your Terraform or PowerShell or other automation effort? Set up a free consultation - Start the conversation today.
Leave a Reply