-
Notifications
You must be signed in to change notification settings - Fork 0
AWS Service control policies (SCPs)
Richard T. Miles edited this page Jun 21, 2024
·
1 revision
Service control policies (SCPs) are a type of organization policy that you can use to manage permissions in your organization. SCPs offer central control over the maximum available permissions for all accounts in your organization. SCPs help you to ensure your accounts stay within your organization’s access control guidelines.
- Go to AWS Organizations service
- Click on the Policies tab
- Click on the Service control policies link
- Click the Create policy button
- Give the policy a name and describe the new policy
- You can either use the interface to create the policy service by service, or you can paste in your statement directly into the policy code section on the right side of the screen
- After you have finished with your edits, click the Create policy button in the bottom right corner
- Go to AWS Organizations service
- Click on the Policies tab
- Click on the Service control policies link
- Click the checkbox existing policy that you would like to edit
- Click View details button on the right side of the screen
- Click Edit policy button - You are not able to edit AWS created policies because they are read only
- Make your changes and click the Save changes button in the bottom right corner
- Go to AWS Organizations service
- Click on the Organize accounts tab
- Click on the OU on the left side of the screen that you want to apply the SCP
- Expand Service control policies on the right side of the screen
- Attach/Detach SCP's as needed. Maximum of 5 attached per OU and Maximum of 5 attached per account.
Do not detach or edit aws-guardrails-XXXXXX Service Control Policies from the Organizational Units. This will create drift in the Control Tower configuration and could cause unpredictable behavior.