SCP is a type of AWS Organization policy to restrict service access for entire organizational units or specific member accounts.
What can SCPs do?
- SCPs can effectively restrict member account root users.
- SCPs are a permission boundary for member accounts.
- SCP don’t grant permissions to AWS identities.
Only resources allowed by both identity policies and SCPs can be accessed.
Implementing SCP
- SCP can be stipulated by the management account in an organization.
- Deny list approach
- Default SCP for a member account is FullAWSAccess with explicit allow for all services — i.e. to make a modification, add deny lists
- SCP uses same deny-allow-deny rule: explicit deny > explicity allow > implicit deny
- Allow list approach
- Remove default SCP so that allow lists are used instead
- Results in more admin overhead, but is more secure as it never over-provisions service access.