Member-only story
40 Powerful SCPs for AWS Organizations
AWS Organizations is a management service that enables you to consolidate multiple AWS accounts into an organization that you create and centrally manage. AWS Organizations includes account management and consolidated billing capabilities that enable you to better meet the budgetary, security, and compliance needs of your business. You can create accounts in your organization and also invite existing accounts to join the organization.
One of the features of AWS Organizations is SCPs, which helps you specify the maximum permissions for member accounts in the organization. Using SCPs, you can restrict which AWS services, resources, and individual API actions the users and roles in each member account can access. You can also define conditions for when to restrict access to AWS services, resources, and API actions.
Here are the 40 powerful SCPs that you can implement on top of your AWS organization, OU, and AWS accounts to secure your AWS cloud infrastructure.
- Allow only approved services
The default SCP isFullAWSAccesswhich grants Allow of * on *. The only time your SCPs should include an Allow statement is either in that policy or by using a custom policy that lists allowed services. The allowed services you choose may be those that meet some compliance (ex. HIPAA), or those that the security team has otherwise approved.
