Marouen REBANI
Hi, In the video "AWS Organizations & Service Control Policies" at 03h27 the video says that SCPs can only deny access.
Well it’s not true, SCPs can be used to Allow access.
If SCPs are enabled and if you disable the default "FullAWSAccess" SCP, the usual implicit deny apply.
Then you can enable in a granulary manner access to everything like a regular IAM policy.
1 Answers
Rab Bonnar
Marouen, you are 100% correct on this! Other ACG videos speak of the Allow possibility.
I see what you are saying but techncinally SCP can you grant because lets say the policy allows a permission, if the IAM policy for that user/role does not also allow then it will not go into affect. Also if you refer to the AWS documentation, it specifically says "SCPs are similar to IAM permission policies and use almost the same syntax. However, an SCP never grants permissions"
Link to documentation: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scp.html
I understand what you say. Of course if the IAM permission attached to the user/role/group denies something the SCP will not bypass it. My point was to explain that an "Allow" is possible within a SCP.
When IAM and SCP policies are evaluated, the effective permissions are the intersection of the permissions in the IAM and SCP polciy. You will see that Organizations has a default SCP that allows all, without this, nothing will be allowed. So even though SCPs have allow statements in them, they do not grant the permission, they just allow an IAM policy to grant the permission. As an example, if you were to edit the default SCP and instead of allowing all, only allow S3:, then the only actions allowed in the affected accounts would be S3: even if you had an IAM policy with EC2:*. On the other hand, policies allowing S3 actions will still allow those actions, but policies that do not have any S3 permissions will not start allowing S3 now.