# AWS Service Control Policies (SCPs) AWS **Service Control Policies (SCPs)** provide **organization-wide governance** and **permission boundaries** for AWS accounts within **AWS Organizations**. #### **✅ Key Characteristics of SCPs** * SCPs **do not grant permissions**; they only **restrict** what IAM users, roles, and groups can do. * Applied at the **account or Organizational Unit (OU) level**, not to individual IAM users or roles. * Useful for **compliance, security enforcement, and cost control**. *** ### **📌 Common SCP Use Cases & Examples** #### **1️⃣ Restricting AWS Services** **Use Case:** Prevent usage of **unauthorized AWS services** in specific AWS accounts.\ ✅ Helps enforce compliance by **blocking non-approved services**.\ ✅ Ensures developers only use **approved services** for workloads. *** #### **2️⃣ Preventing IAM User & Role Creation** **Use Case:** Ensure IAM roles and users can only be created in the **management account**.\ ✅ Avoids security risks from uncontrolled IAM roles.\ ✅ Prevents **unauthorized IAM role escalation** by developers. *** #### **3️⃣ Blocking Public S3 Buckets** **Use Case:** Prevent developers from **making S3 buckets public**, ensuring sensitive data remains secure.\ ✅ Prevents **accidental exposure of S3 objects**.\ ✅ Ensures **compliance with security policies** by enforcing bucket-level security. *** #### **4️⃣ Enforcing AWS Region Restrictions** **Use Case:** Restrict AWS resource creation to **approved regions** (e.g., only allow `us-east-1` and `eu-west-1`).\ ✅ Helps with **data residency compliance** (e.g., GDPR).\ ✅ Prevents unauthorized **deployment in high-cost or restricted regions**. *** #### **5️⃣ Preventing CloudTrail Log Deletion** **Use Case:** Ensure **audit logs remain intact** by **blocking deletion of CloudTrail logs**.\ ✅ Prevents **malicious log deletion** that could cover up security incidents.\ ✅ Ensures compliance with **audit and regulatory requirements**. *** #### **6️⃣ Preventing Root User Actions** **Use Case:** Restrict AWS **root user actions** to prevent unauthorized changes.\ ✅ Enhances security by **reducing root account usage**.\ ✅ Encourages **IAM role-based access control** instead of root access. *** #### **7️⃣ Enforcing Encryption on All AWS Storage Services** **Use Case:** Ensure **all stored data is encrypted at rest** across **S3, RDS, and EBS**.\ ✅ Helps meet **compliance and security best practices**.\ ✅ Ensures **data confidentiality** by enforcing encryption. *** #### **8️⃣ Enforcing AWS Config for Compliance Monitoring** **Use Case:** Ensure AWS Config is enabled across all accounts to track resource changes and compliance.\ ✅ Helps with **security audits and compliance reporting**.\ ✅ Ensures **resources are continuously monitored** for misconfigurations. **Implementation Considerations:** * Apply SCPs to enforce AWS Config in all accounts. * Combine with AWS Config rules to **detect and remediate non-compliant resources**. * Use **AWS Config Aggregator** in the **management account** to collect compliance data across all accounts. ✅ Example Scenario:\ A company wants to **enforce encryption on all S3 buckets** across its AWS Organization. They implement an AWS Config rule that checks for S3 bucket encryption and an SCP that **prevents disabling AWS Config**. *** ### **📌 Best Practices for SCP Implementation** ✅ **Apply SCPs at the Organizational Unit (OU) level** for better manageability.\ ✅ **Use Allow/Deny strategically** to **enforce security while avoiding disruption**.\ ✅ **Test SCPs before applying them** using the **IAM Policy Simulator**.\ ✅ **Combine SCPs with IAM Policies** for **fine-grained access control**.\ ✅ **Monitor SCP enforcement using AWS Organizations logs**. *** ### **📌 Common Mistakes** ❌ **Overly restrictive SCPs blocking essential services**.\ ❌ **Applying SCPs without testing, leading to broken workflows**.\ ❌ **Forgetting that SCPs do not grant permissions** (IAM policies are still required).\ ❌ **Not applying SCPs at the Organizational Unit (OU) level**, leading to inconsistency. *** ### **📌 Summary** 🚀 **AWS Service Control Policies (SCPs) provide centralized governance for AWS accounts, enabling security, compliance, and cost management.**\ ✔ **Restrict IAM role creation to prevent privilege escalation.**\ ✔ **Block public S3 bucket access for data security.**\ ✔ **Prevent CloudTrail deletion to ensure auditability.**\ ✔ **Restrict AWS service usage to avoid unnecessary costs.**\ ✔ **Enforce encryption across AWS storage services for compliance.**\ ✔ **Ensure AWS Config is enabled to track compliance and security changes.** --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://awsinpractice.itassist.com/study-group/aws-certified-solutions-architect-associate/domain-1-design-secure-architectures/task-statement-1.1-design-secure-access-to-aws-resources/aws-service-control-policies-scps.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.