Service Control Policies (SCPs)

Enforcing Guardrails with Service Control Policies (SCPs)

Service Control Policies (SCPs) are organization-wide policies that help enforce governance and security controls across multiple AWS accounts in an AWS Organizations setup.

Key Characteristics of SCPs

• SCPs do not grant permissions but instead restrict actions that IAM Roles, IAM Users, and AWS Root Users can perform.

• SCPs apply at the AWS Organizations level, meaning they affect all IAM identities (users, roles, and groups) in an account.

• SCPs can be applied to AWS Accounts, Organizational Units (OUs), or the Root Organization.

• SCPs do not override IAM permissions, but they act as guardrails to prevent unauthorized actions.

Think of SCPs as a "deny by default" framework that ensures certain actions are always blocked—even if an IAM policy allows them.

• SCPs restrict what AWS accounts can do (even if an IAM Role has permissions).

• Best Practice: SecureCart uses SCPs to block high-risk actions.

Example SCP: Deny Deletion of IAM Roles

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "iam:DeleteRole",
      "Resource": "*"
    }
  ]
}

Now, no one in SecureCart's AWS accounts can delete IAM Roles—even if their IAM Role allows it.

How SCPs Work with AWS Organizations & IAM

• SCPs are attached to AWS Organizations' Root, OUs, or AWS Accounts.

• They do NOT grant permissions—only restrict actions.

• If an SCP explicitly denies an action, IAM Users and Roles in the account cannot perform it, even if an IAM Policy allows it.

SCP vs. IAM Policies

Best Practice: Use SCPs for high-level security enforcement and IAM Policies for detailed permissions.

SCP Use Cases in SecureCart

SecureCart uses SCPs to enforce security, compliance, and governance controls across multiple AWS accounts.

• Example 1: Deny Root User Access to All Accounts

  • Why? Prevent security risks by ensuring the Root User cannot perform any action.

  • Result: Even if the Root User tries to create IAM Users or change policies, they are blocked

• Example 2: Prevent Developers from Modifying IAM Policies

  • Why? Developers should not modify IAM Roles or Policies, even if they have broad permissions.

  • Result: Developers cannot change IAM permissions, even if an IAM Role grants them access.

• Example 3: Require All AWS Accounts to Enable Security Services

  • Why? Ensure that AWS Security Hub, GuardDuty, and AWS Config remain enabled for compliance.

  • Result: No one can disable security monitoring in SecureCart AWS accounts.

How SecureCart Implements SCPs Across OUs

SecureCart applies SCPs at the Organizational Unit (OU) level to enforce best practices.

📌 SecureCart AWS Organizations SCPs by OU

Result: SCPs prevent misconfigurations and enforce compliance across all AWS accounts.

SCP Best Practices

• Apply SCPs at the OU Level, not the account level, for better scalability.

• Use SCPs to enforce security & compliance, not for day-to-day permission management (use IAM for that).

• Test SCPs in a non-production OU before applying them org-wide.

• Combine IAM Identity Center (AWS SSO) with SCPs for a secure and scalable multi-account architecture.

AWS SCPs help SecureCart enforce organization-wide security while IAM Identity Center manages user access.

Summary: How SCPs Improve Security in Multi-Account AWS Environments

SCPs enforce security guardrails without replacing IAM permissions.

How SecureCart Secures Multi-Account Access