The Ultimate Guide for Understanding AWS Service Control Policies (SCPs)

April 18, 2023

Youssef
Share 0
Tweet 0
Share 0

If you already have an AWS organization, where you can centrally manage different AWS accounts, having Service Control Policies (SCPs) will likely make it worth the while.

Some permissions come with managing different accounts in an AWS organization; with SCPs, you can centrally control these available permissions. 

What are AWS SCPs, and how can they help improve your cloud security?

AWS SCPs are “policies” that you put in place or establish to help manage resources within your AWS organization’s accounts.

However, the SCPs, unlike Identity and Access Management (IAM), don’t give permissions to AWS accounts. It, however, helps to manage the already granted permissions.

How can it help you?

With SCPs, you’re assured of more secure and cost-effective access to AWS features and services; this is especially useful to grow organizations with many accounts for teams and workloads.

Even with IAM, you’d need SCP as an additional layer of security to help control the permissions IAM has given.

What are the key services provided by AWS SCPs?

  1. 1

    Statement 

    A statement is the container that carries the policy elements. SCPs can carry various statements.

  2. 2

    Statement ID (Sid) 

    Sid is optional; however, it offers a name for the statement (usually friendly).

  3. 3

    Effect 

    The effect is responsible for defining the allowance or denial to the IAM user and roles in an account.

  4. 4

    Action 

    Action specifies the service and actions of AWS.

  5. 5

    NotAction 

    This specifies the service and actions of AWS that are not included in the SCP.

  6. 6

    Resource 

    The resource specifies the resources that SCP applies to.

  7. 7

    SCP Condition 

    Specifies conditions for the statement’s effect

What are the main examples of AWS SCPs use cases and implementation?

  • General examples

    These include denying access based on requested region, preventing IAM users and roles from making specific changes and preventing member accounts from leaving the organization.

  • SCPs for AWS configuration

    Unlike the general examples in different groups, the SCPs for AWS configuration only feature one – prevent users from disabling AWS configuration and changing the rules. 

  • SCPs for Elastic Compute Cloud (EC2)

    You can apply SCPs to all users and roles in an account; this will ensure that multi-factor authentication is set in place before stopping or terminating any EC2 instance

  • SCPs for GuardDuty

    SCPs for GuardDuty have only one function, prevent users or roles from modifying or disabling the GuardDuty configuration; this can be done through the console or directly. 

  • SCPs for resource access manager

    This ensures users share resources with certain organizations. Essentially, it prevents users from sharing resources with IAM users and roles that are not a part of the organization.

  • SCPs for Virtual Private Cloud (VPC)

    The SCP for VPC ensures that users or roles in an account cannot delete EC2 flow logs. It also prevents any VPC without internet access from getting it. 

AWS SCPs vs. IAM Policies: How do they differ, and which is better? 

While IAM and SCPs work to ensure your AWS accounts are properly secured, there are quite a number of differences between them. You’ll find them in the table below:

service

SCPs

IAM

use

Only used with IAM

Can be used independently

accounts

Works for all account in an AWS organization

Only works with roles and users within an account

permissions

Manages permissions that have been granted by IAM.

Grants security permissions to roles and users within accounts

Which is better?

Well, considering that IAM and SCPs work to provide security for AWS accounts, it’s best to work with both options to obtain the optimum security services. 

A step-by-step guide on how to set up and monitor Your AWS SCPs?

How do you set up an AWS SCP? Well, this article wouldn’t be complete without a way to help with that. So, here’s a step-by-step guide to help you:

  1. 1

    Be sure to enable all features in your AWS organization. Then proceed to enable SCPs through the organization console.

  2. 2

    In the console, click the “policies tab” at the top right, then select the “create policy option.”

  3. 3

    Name and describe your policy according to the role you’d like it to perform or anything else to help with easy identification.

  4. 4

    In the policy editor, find the empty statement in the text editor. Then, to add relevant resources, conditions, and actions, you’d first position your cursor inside the policy statement bar for the editor to detect the content of the policy statement.

  5. 5

    Change your statement ID to describe the function of your statement. For example, you can reuse the policy name as your statement ID if the policy has one statement.

  6. 6

    Through the left panel, select the IAM service and add the actions you want to restrict.

  7. 7

    At this step, change from “action” by selecting the “nonAction” option.

  8. 8

    Using the “resource policy” element, apply controls to the policy you’re setting up. 

  9. 9

    Click the “save changes” option to set up your policy.

  10. 10

    Attach your policy to the AWS organization which you are applying for the permissions.

To implement SCPs, use the policy editor. It’s located in the AWS organization console. It helps to guide you through adding actions, conditions, and resources, making it easier for you to author SCPs.

Common Mistakes when using AWS SCPs and how to avoid them?

  • An SCP containing more than one policy object

    An SCP can only consist of one JSON object; place {} braces around it to ensure this. Yes, other objects can be nested within a JSON by embedding additional braces. 

  • An SCP containing more than one statement

    This will consist of the name on the left of a colon, then its value on the right. The value of the statement should be an object that contains one effect, action, and resource element each. 

  • An SCP policy document exceeding the maximum size

     For an SCP document, the maximum size expected is 5,120 bytes, including all characters and white space. You can reduce your SCP size by removing the white space characters outside quotation marks.

What are the pros and cons of using AWS SCPs?

Pros

  • With SCPs, the accounts in your AWS organization are sure to keep accessing the control guidelines.

  • They ensure that permissions granted to services, configurations, resources, etc., are not accessed excessively and abused.

  • SCPs offer a central control for permissions to accounts in an organization.

  • They provide an extra layer of security to your AWS organization.

  • They are cost-efficient, considering that they help to manage permissions effectively.

Cons

  • SCPs do not grant permissions to accounts.

  • They cannot be applied to principals that are outside your organization.

  • An SCP’s size is limited to 5120 bytes.

  • There’s also a limit to the number of SCPs attached to an organization.

Tips for Making the most out of AWS SCPs for your organization

To achieve the most through AWS SCPs, there are some best practices to adhere to, and we’ll be looking at some of them briefly.

  • Other than setting up an AWS organization, your main account shouldn’t be used for anything else because your SCPs cannot restrict management accounts in AWS organizations.

  • SCPs can only be configured as “allow” or “deny” lists. The best practice here is to manage a “deny” since it’s low maintenance and easier to navigate in the cases of new AWS services.

  • It’s best not to attach SCPs to the root account unless you have tested them (SCPs) on organizational units (OUs)

  • One thing that helps for easier troubleshooting is applying SCPs at the OU levels and not the account level.

  • For regulatory requirements, restrict the regions that aren’t allowed in your organization.

Key takeaways

To use AWS Service Control Policies, it’s necessary to have an AWS Organization because the policies can only work in a multi-account environment.

In addition, companies have been plagued with data breaches, running AWS services even when they’re not wanted, etc. However, with AWS SCPs, you’re assured of significant reductions in these catastrophic events.

 Previous
Next
Share0
Tweet0
Share0

About the author

Youssef

Youssef is a Senior Cloud Consultant & Founder of ITCertificate.org

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Related posts

SoftLayer vs AWS vs Azure: A Complete Showdown of the Top 3 Cloud Hosting Platforms

Run your Business Faster than ever Before with AWS Lambdas

Understanding the architecture of AWS, key components, and main use of cases

The Ultimate Guide for Understanding AWS Service Control Policies (SCPs)