# AWS Service Control Policies (SCPs) AWS **Service Control Policies (SCPs)** provide **organization-wide governance** and **permission boundaries** for AWS accounts within **AWS Organizations**. #### **✅ Key Characteristics of SCPs** * SCPs **do not grant permissions**; they only **restrict** what IAM users, roles, and groups can do. * Applied at the **account or Organizational Unit (OU) level**, not to individual IAM users or roles. * Useful for **compliance, security enforcement, and cost control**. *** ### **📌 Common SCP Use Cases & Examples** #### **1️⃣ Restricting AWS Services** **Use Case:** Prevent usage of **unauthorized AWS services** in specific AWS accounts.\ ✅ Helps enforce compliance by **blocking non-approved services**.\ ✅ Ensures developers only use **approved services** for workloads. *** #### **2️⃣ Preventing IAM User & Role Creation** **Use Case:** Ensure IAM roles and users can only be created in the **management account**.\ ✅ Avoids security risks from uncontrolled IAM roles.\ ✅ Prevents **unauthorized IAM role escalation** by developers. *** #### **3️⃣ Blocking Public S3 Buckets** **Use Case:** Prevent developers from **making S3 buckets public**, ensuring sensitive data remains secure.\ ✅ Prevents **accidental exposure of S3 objects**.\ ✅ Ensures **compliance with security policies** by enforcing bucket-level security. *** #### **4️⃣ Enforcing AWS Region Restrictions** **Use Case:** Restrict AWS resource creation to **approved regions** (e.g., only allow `us-east-1` and `eu-west-1`).\ ✅ Helps with **data residency compliance** (e.g., GDPR).\ ✅ Prevents unauthorized **deployment in high-cost or restricted regions**. *** #### **5️⃣ Preventing CloudTrail Log Deletion** **Use Case:** Ensure **audit logs remain intact** by **blocking deletion of CloudTrail logs**.\ ✅ Prevents **malicious log deletion** that could cover up security incidents.\ ✅ Ensures compliance with **audit and regulatory requirements**. *** #### **6️⃣ Preventing Root User Actions** **Use Case:** Restrict AWS **root user actions** to prevent unauthorized changes.\ ✅ Enhances security by **reducing root account usage**.\ ✅ Encourages **IAM role-based access control** instead of root access. *** #### **7️⃣ Enforcing Encryption on All AWS Storage Services** **Use Case:** Ensure **all stored data is encrypted at rest** across **S3, RDS, and EBS**.\ ✅ Helps meet **compliance and security best practices**.\ ✅ Ensures **data confidentiality** by enforcing encryption. *** #### **8️⃣ Enforcing AWS Config for Compliance Monitoring** **Use Case:** Ensure AWS Config is enabled across all accounts to track resource changes and compliance.\ ✅ Helps with **security audits and compliance reporting**.\ ✅ Ensures **resources are continuously monitored** for misconfigurations. **Implementation Considerations:** * Apply SCPs to enforce AWS Config in all accounts. * Combine with AWS Config rules to **detect and remediate non-compliant resources**. * Use **AWS Config Aggregator** in the **management account** to collect compliance data across all accounts. ✅ Example Scenario:\ A company wants to **enforce encryption on all S3 buckets** across its AWS Organization. They implement an AWS Config rule that checks for S3 bucket encryption and an SCP that **prevents disabling AWS Config**. *** ### **📌 Best Practices for SCP Implementation** ✅ **Apply SCPs at the Organizational Unit (OU) level** for better manageability.\ ✅ **Use Allow/Deny strategically** to **enforce security while avoiding disruption**.\ ✅ **Test SCPs before applying them** using the **IAM Policy Simulator**.\ ✅ **Combine SCPs with IAM Policies** for **fine-grained access control**.\ ✅ **Monitor SCP enforcement using AWS Organizations logs**. *** ### **📌 Common Mistakes** ❌ **Overly restrictive SCPs blocking essential services**.\ ❌ **Applying SCPs without testing, leading to broken workflows**.\ ❌ **Forgetting that SCPs do not grant permissions** (IAM policies are still required).\ ❌ **Not applying SCPs at the Organizational Unit (OU) level**, leading to inconsistency. *** ### **📌 Summary** 🚀 **AWS Service Control Policies (SCPs) provide centralized governance for AWS accounts, enabling security, compliance, and cost management.**\ ✔ **Restrict IAM role creation to prevent privilege escalation.**\ ✔ **Block public S3 bucket access for data security.**\ ✔ **Prevent CloudTrail deletion to ensure auditability.**\ ✔ **Restrict AWS service usage to avoid unnecessary costs.**\ ✔ **Enforce encryption across AWS storage services for compliance.**\ ✔ **Ensure AWS Config is enabled to track compliance and security changes.**