SCP

Service Control Policies (SCPs) are a type of policy that allows administrators to manage permissions for multiple AWS accounts from a central location. SCPs are used to set permissions that restrict what actions AWS IAM users and roles can perform within an account or a group of accounts that are associated with an AWS Organization. SCPs are used to control access to services, actions, and resources within AWS accounts. They are used to help enforce organizational compliance and governance policies, ensure data security and privacy, and prevent unauthorized access to critical resources. SCPs allow administrators to create a hierarchy of permissions for AWS accounts. They can be applied to an entire AWS Organization, to individual accounts within an Organization, or to specific organizational units (OUs) within an Organization. SCPs are designed to be used in conjunction with AWS Identity and Access Management (IAM) policies. While IAM policies control access within individual AWS accounts, SCPs allow administrators to set rules across all accounts in an AWS Organization.

Terraform Name

aws_organizations_policy

SCP

attributes:

The following arguments are supported:

content - (Required) The policy content to add to the new policy. For example, if you create a service control policy (SCP), this string must be JSON text that specifies the permissions that admins in attached accounts can delegate to their users, groups, and roles. For more information about the SCP syntax, see the Service Control Policy Syntax documentation and for more information on the Tag Policy syntax, see the Tag Policy Syntax documentation.
name - (Required) The friendly name to assign to the policy.
description - (Optional) A description to assign to the policy.
skip_destroy - (Optional) If set to true, destroy will not delete the policy and instead just remove the resource from state. This can be useful in situations where the policies (and the associated attachment) must be preserved to meet the AWS minimum requirement of 1 attached policy.
type - (Optional) The type of policy to create. Valid values are AISERVICES_OPT_OUT_POLICY, BACKUP_POLICY, SERVICE_CONTROL_POLICY (SCP), and TAG_POLICY. Defaults to SERVICE_CONTROL_POLICY.
tags - (Optional) Key-value map of resource tags. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

‍

Associating resources with a

SCP

Resources do not "belong" to a

SCP

Rather, one or more Security Groups are associated to a resource.

Create

SCP

via Terraform:

The following HCL is an example of an AWS Organizations policy with the aws_organizations_policy resource that includes a SERVICE_CONTROL_POLICY type

Syntax:

resource "aws_organizations_policy" "example_policy" {
content = jsonencode({
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
})
description = "Example policy"
name = "example-policy"
type = "SERVICE_CONTROL_POLICY"
}

Create

SCP

via CLI:

Parameters:

create-policy
--content <value>
--description <value>
--name <value>
--type <value>
[--tags <value>]
[--cli-input-json <value>]
[--generate-cli-skeleton <value>]
[--debug]
[--endpoint-url <value>]
[--no-verify-ssl]
[--no-paginate]
[--output <value>]
[--query <value>]
[--profile <value>]
[--region <value>]
[--version <value>]
[--color <value>]
[--no-sign-request]
[--ca-bundle <value>]
[--cli-read-timeout <value>]
[--cli-connect-timeout <value>]

Example:

aws organizations create-policy --content file://policy.json --name AllowAllS3Actions, --type SERVICE_CONTROL_POLICY --description "Allows delegation of all S3 actions"

Costs

There is no additional cost for using AWS Service Control Policies (SCPs) themselves. SCPs are a feature of AWS Organizations, which is a service that is available at no additional cost to AWS customers. However, it's important to note that SCPs are used to control access to AWS resources and services, which do incur costs based on usage. SCPs are designed to help administrators manage and control those costs by limiting the actions that can be performed by AWS users and roles. Additionally, using SCPs may require additional management overhead, such as monitoring and updating the policies as the needs of the organization change. Depending on the complexity of the policies and the size of the organization, this may require additional resources, such as time and expertise. So while there is no direct cost associated with SCPs themselves, it's important to consider the potential impact on overall AWS usage and management when implementing SCPs in an organization.

SCP

Terraform Name

Costs

Indirect Cost

AWS Service Control Policies (SCP), the why, the what and the how.