Certified Security - Specialty

Sign Up Free or Log In to participate!

Service Control Policy Deny Only?

In the AWS Organizations & Service Control Policies lecture , Faye states that SCPs are deny only (03:19). But, we can Allow too?

There is an AWS article that shows how SCPs can be used (Whitelist or Blacklist)

https://docs.aws.amazon.com/organizations/latest/userguide/SCP_strategies.html

Could you please clarify?

1 Answers

SCPs are service boundaries. When a service is allowed in SCP, it does not mean an identity is "allowed" to perform operations.An identity can only perform operations on that service only when it has sufficient policies in place. 

But, when a service is denied in SCP, it means any identity is denied to perform any operations ( even if it has explicit policies in place).

So long answer short, SCPs are used to Deny only.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?