An AWS Service Control Policy (SCP) is a way to allow or deny users to perform certain actions in an AWS account, similar to an IAM policy. It's a best practice to only provide users with enough access to perform their jobs (this is known as the principle of least privilege or PoLP, which you can read about in this article), and SCPs help you to accomplish that in your AWS accounts.
AWS Service Control Policies (SCPs) must be turned on within AWS in order for them to take effect. Please note: SCPs and their associated settings are hidden for those running cloudtamer.io in AWS high side since SCPs are not available for these customers.
Using SCPs in cloudtamer.io
In order to use SCPs within the AWS console, you need highly privileged access to the root of your organization (i.e. your billing account, or what we call your management account). Also, applying them across more than one account is a cumbersome manual process, and you can't apply them across multiple management accounts.
But cloudtamer.io helps you create, manage, and apply SCPs with ease. Using cloudtamer.io, you'll follow these steps to apply your SCPs to any account, including multiple management accounts:
- Apply the SCP to a cloud rule.
- Attach the cloud rule to a project or attach the cloud rule to an OU that is associated with the account.
- The SCP will now apply to the entire account. Cloud rule exemptions will apply as usual.
When you need to make a change, you can easily update the SCP in one place within cloudtamer.io, and cloudtamer.io will modify it in all of your accounts via your cloud rules. Plus, you'll enjoy greater visibility into which SCPs are applied across your organization.
Should I use an SCP or an IAM policy?
While SCPs accomplish a similar goal to IAM policies, they differ in a few key ways, which can help you determine which is right for your situation:
- IAM policies allow you more control to grant granular permissions to individual users.
- SCPs allow you to apply enforcements at a higher level that will apply to all users, and IAM policies can't restrict the AWS account's root user. This can be advantageous in some cases; with IAM policies, you could potentially get around restrictions by creating a new user in the AWS console to which the IAM policy does not apply. An SCP would apply account-wide, so there is no risk of that.
Additionally, different types of policies in AWS often overlap. Your AWS IAM policies, AWS SCPs, and permissions boundaries all control an entity's (i.e. a user, user group, or role) effective permissions, or what they can actually do in the cloud. To learn more about this, see the What is a Permissions Boundary? article. You can also learn more about SCPs in the AWS Service Control Policies documentation.