AWS IAM Policy types: SCP, SP, and PB

Learn about three other policy types AWS supports.

Service control policy (SCP)

If we use the AWS Organizations service to start new accounts we’ll have access to a new type of policy that we can attach to AWS accounts. This allows one account, the management account to impose restrictions on other accounts, the member accounts that are outside their reach. This is a powerful control mechanism because even if a member account is hacked with Administrator access, it is still limited by these outside policies.

We can use SCPs for a variety of purposes. For example, we can restrict which regions an account can use. Especially for single-purpose accounts, such as for development environments, all the resources are in a single region. Enforcing this prevents “hiding” resources in unused regions.

Also, these policies can prevent disabling or altering security-related resources. For example, a CloudWatch Events Rule might watch for access denied errors and report them to a Slack channel. By making this Events Rule impossible to alter from inside the account, we can prevent an attacker from simply disabling it and then operate undetected.

Finally, an SCP can disable features that are not needed during normal operations. For example, a development account does not need to buy reserved EC2 instances or use S3 Glacier Vault Locks, features that can potentially cost a lot if misused.

A Service Control Policy can restrict access, meaning an operation is denied if it does not explicitly allow it. To disable an SCP, use a policy that allows every action on every resource:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*"
        }
    ]
}

There are two approaches to defining permissions with SCPs. The first is called allowlisting and this is where we add an “Allow” policy with only the permissions we want to allow:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": "*"
        }
    ]
}

The other way is called denylisting. In this case, we allow everything and then selectively remove permissions by adding “Deny” statements:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*"
        },
        {
            "Effect": "Deny",
            "Action": "s3:*",
            "Resource": "*"
        }
    ]
}

Tip: SCPs are powerful tools. As a best practice, create a new account using AWS Organizations immediately after creating your first AWS account and use the member for day-to-day tasks.

Let’s take a quick quiz on service-control policy!

Get hands-on with 1400+ tech skills courses.