Hello gurus,
In definition SCP never grants permission. However, when I checked the SCP vs. IAM policy I discovered that SCP can also can be used to allow access to AWS resource (whitelist). Can I get a clarification on this please?
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scp.html
https://aws.amazon.com/premiumsupport/knowledge-center/iam-policy-service-control-policy/
Thanks!
1 Answers
The SCP is allowing access to the services and actions that are ALREADY allowed. Such as you can have an account with full access to all services, then apply an SCP that restricts by Whitelisting only a select group of services. So, in essence, the SCP is "removing" access to any service not explicitly listed in the SCP. Maybe this link will help – https://aws.amazon.com/blogs/security/how-to-use-service-control-policies-in-aws-organizations-to-enforce-healthcare-compliance-in-your-aws-account/
Hi Josh, thanks for the clarification.
I agree with Josh’s answer. Whitelisting is not really a “permission” in itself. There is also a term called Blacklisting in SCP