Skip to content

Example AWS Service control policies to get started or mature your usage of AWS SCPs.

License

MIT-0, Unknown licenses found

Licenses found

MIT-0
LICENSE
Unknown
LICENSE-SUMMARY
Notifications You must be signed in to change notification settings

aws-samples/service-control-policy-examples

Service Control Policy examples


The service control policies in this repository are shown as examples. You should not attach SCPs without thoroughly testing the impact that the policy has on accounts. Once you have a policy ready that you would like to implement, we recommend testing in a separate organization or OU that can be represent your production environment. Once tested, you should deploy changes to more specific OUs and then slowly deploy the changes to broader and broader OUs over time.

Service control policies (SCPs) are meant to be used as coarse-grained guardrails, and they don’t directly grant access. The administrator must still attach identity-based or resource-based policies to IAM principals or resources in your accounts to actually grant permissions. The effective permissions are the logical intersection between the Service control policy/Resource control policy and an identity policy or the Service control policy/Resource control policy and a resource policy. You can get more details about SCP effects on permissions here.

A Service control policy (SCP), when attached to an AWS organization, organization unit or an account offers a central control over the maximum available permissions for all accounts in your organization, organization unit or an account. As an SCP can be applied at multiple levels in an AWS organization, understanding how SCPs are evaluated can help you write SCPs that yield the right outcome. For in depth look at how to get more out of SCPs, visit blog.

We recommend that you organize accounts using OUs based on function, compliance requirements, or a common set of controls rather than mirroring your organization’s reporting structure. For more details, reference: Design principles for your multi-account strategy. If you are getting started with setting up your AWS Organizations organization, we recommend watching Morgan Stanley and Inter & Co. showcase their AWS Organization and SCP evolution journey and lessons learnt along the way.

This repository


The example policies are divided into different categories based on the type of control. These examples do not represent a complete list and are intended for you to tailor and extend to suit the needs of your environment.

Note : The SCP examples in this repository use a deny list strategy, which means that you also need a FullAWSAccess policy or other policy that allows access attached to your AWS Organizations organization entities to allow actions. You still also need to grant appropriate permissions to your principals by using identity-based or resource-based policies.

  • Data perimeter guardrails : Enforce preventive guardrails that help ensure only your trusted identities are accessing trusted resources from expected networks.

  • Deny changes to security services: AWS offers security services that help you monitor access, security posture, and activity within your organization. Enforce guardrails to restrict member accounts from disabling these tools that are used to govern and comply, in operational auditing, and risk auditing of your AWS accounts.

  • Privileged access controls: Enforce controls to make sure that your roles and applications are given only privileges which are essential to perform their intended function.

  • Protect cloud platform resource : Enforce controls to protect your resources in cloud from being modified or deleted.

  • Region Controls: Enforce controls in your multi-account environment to inhibit use of certain AWS Region or Regions.

  • Sensitive data protection: Implement controls that protect your sensitive data, that should not be made publicly accessible or deleted intentionally or unintentionally.

Top SCPs to get started with


If you are just starting to implement SCPs in your environment, consider top recommended SCPs.

Documentation links


Security

See CONTRIBUTING for more information.

License

This library is licensed under the MIT-0 License. See the LICENSE file.

About

Example AWS Service control policies to get started or mature your usage of AWS SCPs.

Topics

Resources

License

MIT-0, Unknown licenses found

Licenses found

MIT-0
LICENSE
Unknown
LICENSE-SUMMARY

Code of conduct

Security policy

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published