AWS Service Control Policies (SCP) uses for the Security Specialty Exam

This is part of a series of posts to use as a study guide for the AWS Security Specialty exam

What is SCP?

SCPs are Service control policies. These are types of organization policies to manage permissions in your organization. SCPs provide central control over the maximum available permissions that can be provided for all accounts within the organization. SCPs are used as guardrails for your accounts to stay within the overall access control guidelines. All features must be enabled within the organization to utilize SCPs. SCPs cannot be used with consolidated billing.

SCPs set limits and provide guardrails on the actions that an account administrator can delegate to IAM users and roles within accounts. IAM policies must still be attached by the administrator to grant permissions.

SPCs have no affect on users or roles within the management account. They do affect the member accounts within the organization.

SCP effects on permission

SCPs are similar to IAM permission policies and use the same syntax. The major difference is that SCPs NEVER grant permissions. They are policies that specify maximum permissions for affected accounts.

Features and permissions for SCPs:

I hope that you have enjoyed this security overview of managing AWS SCP.