Certified Security - Specialty

Sign Up Free or Log In to participate!

SCP can allow access

Hi, In the video "AWS Organizations & Service Control Policies" at 03h27 the video says that SCPs can only deny access.

Well it’s not true, SCPs can be used to Allow access.

If SCPs are enabled and if you disable the default "FullAWSAccess" SCP, the usual implicit deny apply.

Then you can enable in a granulary manner access to everything like a regular IAM policy.


I see what you are saying but techncinally SCP can you grant because lets say the policy allows a permission, if the IAM policy for that user/role does not also allow then it will not go into affect. Also if you refer to the AWS documentation, it specifically says "SCPs are similar to IAM permission policies and use almost the same syntax. However, an SCP never grants permissions"

Marouen REBANI

I understand what you say. Of course if the IAM permission attached to the user/role/group denies something the SCP will not bypass it. My point was to explain that an "Allow" is possible within a SCP.

Chris Swart

When IAM and SCP policies are evaluated, the effective permissions are the intersection of the permissions in the IAM and SCP polciy. You will see that Organizations has a default SCP that allows all, without this, nothing will be allowed. So even though SCPs have allow statements in them, they do not grant the permission, they just allow an IAM policy to grant the permission. As an example, if you were to edit the default SCP and instead of allowing all, only allow S3:, then the only actions allowed in the affected accounts would be S3: even if you had an IAM policy with EC2:*. On the other hand, policies allowing S3 actions will still allow those actions, but policies that do not have any S3 permissions will not start allowing S3 now.

1 Answers

Marouen, you are 100% correct on this!  Other ACG videos speak of the Allow possibility.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?