Following question:
Which of the following is correct in relation to Service Control Policies?
a) An SCP applies to all Organizational Units and accounts below the Organizational Unit to which it has been attached
b) They are deny by default and can only be used to allow access to AWS resources
c) They can be used to allow or deny access to AWS resources
d) They can only be used to restrict access to AWS resources
-> You can use SCP for whitelisting = allow or blacklisting = deny actions. So the answers and description is not correct:
I would choose A) and C) instead of D).
Any comments ?
Thx, Chris
6 Answers
I’d buy A as an option, but C is definitely wrong. SCPs alone cannot allow access to AWS resources. They operate as a sort of mask identifying what is potentially authorize-able in an AWS account via IAM policies. While they cannot grant access, they can prevent access from being granted, therefore, D is correct
I’ll still ticket this to content dev for review.
Hi Steven,
what I mean is – that SCP is similar to "Permission boundary" – with that you can control the maximum of the combined permission of identity and resource policy (and/or session policy). An when you are using an "allow" statement in the SCP – it is not always a restriction, because if the SCP policy contains more "resource" allow action/permission then the combination of identity and resource policy – then the SCP is doing nothing. So the wording "is only to restrict access to AWS resources" maybe is not always correct.
Thx, Chris
We can definitely use "Effect": "Allow" in SCP as given in below URL.
https://docs.aws.amazon.com/organizations/latest/userguide/create-policy.html
However, SCP restricts the access in a way that SCPs specify the maximum permissions for an organization or organizational unit (OU). If an SCP is present, identity-based and resource-based policies grant permissions to entities only if those policies and the SCP allow the action. If both a permissions boundary and an SCP are present, then the boundary, the SCP, and the identity-based policy must all allow the action.
BR, Manoj
Option A is the most appropriate answer in the question – that is what is asked for…
I think some folks are overthinking this. A is definitely correct, and D is correct because an Allow doesn’t grant additional access, it instead limits access to just that which is in the Allow. Per the SCP Syntax page (https://docs.aws.amazon.com/organizations/latest/userguide/orgs_reference_scp-syntax.html): "Even though it uses the same Allow value keyword as an IAM permission policy, in an SCP it doesn’t actually grant a user permissions to do anything. Instead, SCPs specify the maximum permissions for an organization, organizational unit (OU), or account. In the preceding example, even if a user in the account had the AdministratorAccess managed policy attached, the SCP limits all users in the account to only Amazon S3 actions."
This makes the most sense to me, thank you!
Yours is the correct answer — I quoted some directly amplifying information below.
Echoing Tim Elliot,
"[SCPs] never grants permissions. Instead, SCPs are JSON policies that specify the maximum permissions for an organization or organizational unit (OU)."
Thus, A&D are correct.
C is definitely right as SCPs can be used in both a "deny list" and "allow list" strategy as documented by AWS: https://docs.aws.amazon.com/organizations/latest/userguide/SCP_strategies.html. It is true that the defaulty strategy is a "deny list" strategy but you can remove the "FullAWSAccess" policy that AWS attaches by default to the root and all OUs which then makes an "allow list" strategy possible.
I appreciate that they can be used in a "White List" strategy, but i don’t believe that you could say that they are "allowing" access. My rationale behind this is as follows: IAM Grant + SCP Deny = Deny : IAM Deny + SCP "Grant" = Deny