Why is this action denied?

Hey Jordi

That’s a great video from Brigid Johnson from the Identity team.  In this case Brigid is demonstrating how there is a top-level of permission granted in the AWS account using an ‘SCP’.  SCPs define the maximum permission level allowed in the account.  Your SCP for your account must grant an ALLOW permission in order for any entities underneath that SCP (i.e. an IAM role) to be granted permission at the permission policy level.

In many AWS accounts you might find that the SCP has been left as: 

{
    "Version": "2012-10-17",

    "Statement": [

        {

            "Effect": "Allow",

            "Action": "*",

            "Resource": "*"

        }

    ]

}

via the FullAWSAccess AWS-managed SCP.

FullAWSAccess allows any entity underneath can be given ALLOW or DENY for various services.  At the top level, any entity is allowed to be granted anything else.  

If you were to delete your SCP(s) which grants access, then no combination of resource policies or user permission policies under it are going to work.  In Brigid’s example, at 14:30, she asks what would happen if Casey deletes the SCP (which is the box on the left of her diagram) and the audience rightly answer that all access would be lost (DENIED!!!!)

SCPs can be used with AWS Organisations to set permission boundaries for a whole account. For example you might set permission guardrails using SCPs for your Development AWS account to limit the instance types available, and to only grant access to services in the us-east-1 region.  That idea is explained more here: https://aws.amazon.com/blogs/security/how-to-use-service-control-policies-to-set-permission-guardrails-across-accounts-in-your-aws-organization/ 

I hope that clarifies for you!  Hit the community up if you need any more explanation..

Jonathon
ACG