AWS Certified Solutions Architect - Professional 2020

Sign Up Free or Log In to participate!

Service Control Policies (SCP) Question

Hello gurus,

In definition SCP never grants permission. However, when I checked the SCP vs. IAM policy I discovered that SCP can also can be used to allow access to AWS resource (whitelist). Can I get a clarification on this please?

https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scp.html

https://aws.amazon.com/premiumsupport/knowledge-center/iam-policy-service-control-policy/

Thanks!

1 Answers

The SCP is allowing access to the services and actions that are ALREADY allowed. Such as you can have an account with full access to all services, then apply an SCP that restricts by Whitelisting only a select group of services. So, in essence, the SCP is "removing" access to any service not explicitly listed in the SCP. Maybe this link will help – https://aws.amazon.com/blogs/security/how-to-use-service-control-policies-in-aws-organizations-to-enforce-healthcare-compliance-in-your-aws-account/

HappyCloud

Hi Josh, thanks for the clarification.

Mukul Gopal

I agree with Josh’s answer. Whitelisting is not really a “permission” in itself. There is also a term called Blacklisting in SCP

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?