Which of the following is correct in relation to Service Control Policies?
a) An SCP applies to all Organizational Units and accounts below the Organizational Unit to which it has been attached
b) They are deny by default and can only be used to allow access to AWS resources
c) They can be used to allow or deny access to AWS resources
d) They can only be used to restrict access to AWS resources
-> You can use SCP for whitelisting = allow or blacklisting = deny actions. So the answers and description is not correct:
I would choose A) and C) instead of D).
Any comments ?
I’d buy A as an option, but C is definitely wrong. SCPs alone cannot allow access to AWS resources. They operate as a sort of mask identifying what is potentially authorize-able in an AWS account via IAM policies. While they cannot grant access, they can prevent access from being granted, therefore, D is correct
I’ll still ticket this to content dev for review.
what I mean is – that SCP is similar to "Permission boundary" – with that you can control the maximum of the combined permission of identity and resource policy (and/or session policy). An when you are using an "allow" statement in the SCP – it is not always a restriction, because if the SCP policy contains more "resource" allow action/permission then the combination of identity and resource policy – then the SCP is doing nothing. So the wording "is only to restrict access to AWS resources" maybe is not always correct.
We can definitely use "Effect": "Allow" in SCP as given in below URL.
However, SCP restricts the access in a way that SCPs specify the maximum permissions for an organization or organizational unit (OU). If an SCP is present, identity-based and resource-based policies grant permissions to entities only if those policies and the SCP allow the action. If both a permissions boundary and an SCP are present, then the boundary, the SCP, and the identity-based policy must all allow the action.
Option A is the most appropriate answer in the question – that is what is asked for…
I think some folks are overthinking this. A is definitely correct, and D is correct because an Allow doesn’t grant additional access, it instead limits access to just that which is in the Allow. Per the SCP Syntax page (https://docs.aws.amazon.com/organizations/latest/userguide/orgs_reference_scp-syntax.html): "Even though it uses the same Allow value keyword as an IAM permission policy, in an SCP it doesn’t actually grant a user permissions to do anything. Instead, SCPs specify the maximum permissions for an organization, organizational unit (OU), or account. In the preceding example, even if a user in the account had the AdministratorAccess managed policy attached, the SCP limits all users in the account to only Amazon S3 actions."
Echoing Tim Elliot,
"[SCPs] never grants permissions. Instead, SCPs are JSON policies that specify the maximum permissions for an organization or organizational unit (OU)."
Thus, A&D are correct.