The service control policies in this repository are shown as examples. You should not attach SCPs without thoroughly testing the impact that the policy has on accounts. Once you have a policy ready that you would like to implement, we recommend testing in a separate organization or OU that can be represent your production environment. Once tested, you should deploy changes to more specific OUs and then slowly deploy the changes to broader and broader OUs over time.
Service control policies (SCPs) are meant to be used as coarse-grained guardrails, and they don’t directly grant access. The administrator must still attach identity-based or resource-based policies to IAM principals or resources in your accounts to actually grant permissions. The effective permissions are the logical intersection between what is allowed by the SCP and what is allowed by the IAM and resource-based policies. You can get more details about SCP effects on permissions here.
A Service control policy (SCP), when attached to an AWS organization, organization unit or an account offers a central control over the maximum available permissions for all accounts in your organization, organization unit or an account. As an SCP can be applied at multiple levels in an AWS organization, understanding how SCPs are evaluated can help you write SCPs that yield the right outcome. For in depth look at how to get more out of SCPs, visit blog.
We recommend that you organize accounts using OUs based on function, compliance requirements, or a common set of controls rather than mirroring your organization’s reporting structure. For more details, reference: Design principles for your multi-account strategy. If you are getting started with setting up your AWS Organizations organization, we recommend watching Morgan Stanley and Inter & Co. showcase their AWS Organization and SCP evolution journey and lessons learnt along the way.
The example policies are divided into different categories based on the type of control. These examples do not represent a complete list and are intended for you to tailor and extend to suit the needs of your environment.
Note : The SCP examples in this repository use a deny list strategy, which means that you also need a FullAWSAccess policy or other policy that allows access attached to your AWS Organizations organization entities to allow actions. You still also need to grant appropriate permissions to your principals by using identity-based or resource-based policies.
-
Data perimeter guardrails : Enforce preventive guardrails that help ensure only your trusted identities are accessing trusted resources from expected networks.
-
Deny changes to security services: AWS offers security services that help you monitor access, security posture, and activity within your organization. Enforce guardrails to restrict member accounts from disabling these tools that are used to govern and comply, in operational auditing, and risk auditing of your AWS accounts.
-
Privileged access controls: Enforce controls to make sure that your roles and applications are given only privileges which are essential to perform their intended function.
-
Protect cloud platform resource : Enforce controls to protect your resources in cloud from being modified or deleted.
-
Region Controls: Enforce controls in your multi-account environment to inhibit use of certain AWS Region or Regions.
-
Sensitive data protection: Implement controls that protect your sensitive data, that should not be made publicly accessible or deleted intentionally or unintentionally.
If you are just starting to implement SCPs in your environment, consider top 5 recommended SCPs.
- Deny member accounts from leaving the organization
- Only allow usage of approved AWS Regions
- Deny usage of the root user
- Deny changes to security services
- Protect your sensitive Amazon S3 buckets
-
Get more out of service control policies in a multi-account environment
-
Achieving operational excellence with design considerations for AWS Organizations SCPs
-
AWS re:Inforce 2022 - Getting more out of your service control policies, featuring Morgan Stanley
-
AWS re:Inforce 2023 - Create enterprise-wide preventive guardrails, featuring Inter & Co.
-
Pull requests : https://github.com/aws-samples/service-control-policy-examples/pulls
See CONTRIBUTING for more information.
This library is licensed under the MIT-0 License. See the LICENSE file.
