azynth logoAzynth
Back to Blog
AWSSecurityGovernanceOrganizations

Mastering AWS Service Control Policies (SCPs)

Secure your multi-account AWS environment with Service Control Policies. Learn how to act as a guardrail, not a gatekeeper.

Azynth Team
12 min read

Mastering AWS Service Control Policies (SCPs)

As your AWS footprint grows, managing security across dozens or hundreds of accounts becomes a nightmare. IAM policies are great for individual users, but how do you enforce global rules? Enter Service Control Policies (SCPs).

What are SCPs?

SCPs are a type of organization policy that you use to manage permissions in your organization. They offer central control over the maximum available permissions for all accounts in your organization.

Key Distinction: SCPs do not grant permissions. They act as a filter that restricts what actions can be performed, even if an IAM policy allows it. Think of SCPs as the "Laws of the Land" and IAM policies as "Driver's Licenses". You might have a license to drive (IAM Allow), but the law says you can't drive 100mph (SCP Deny).

The Power of "Defense in Depth"

Security shouldn't rely on a single layer. SCPs provide a coarse-grained guardrail that prevents accidental or malicious actions by even the administrative users (including the root user) in a member account.

SCP Inheritance

SCPs are applied to one of three things:

  1. The Organization Root
  2. Organizational Units (OUs)
  3. Individual Accounts

Policies filter down. If you deny s3:DeleteBucket at the Root level, no one in the entire organization can delete a bucket, regardless of what OUs or accounts they are in.

Top 5 Must-Have SCPs for Every Organization

1. Deny Leaving the Organization

Prevent rogue admins from detaching an account from your organization to bypass billing or security controls.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": [
        "organizations:LeaveOrganization"
      ],
      "Resource": "*"
    }
  ]
}

2. Restrict AWS Regions

Limit your exposure by only allowing deployments in regions you actually use.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DenyAllOutsideEU",
            "Effect": "Deny",
            "NotAction": [
                "a4b:*",
                "acm:*",
                "aws-marketplace-management:*",
                "aws-portal:*",
                "budgets:*",
                "ce:*",
                "cur:*",
                "route53:*",
                "route53domains:*",
                "s3:GetAccountPublic*",
                "s3:ListAllMyBuckets",
                "support:*",
                "waf:*",
                "waf-regional:*"
            ],
            "Resource": "*",
            "Condition": {
                "StringNotEquals": {
                    "aws:RequestedRegion": [
                        "eu-central-1",
                        "eu-west-1"
                    ]
                }
            }
        }
    ]
}

3. Block Root User Usage

The root user in member accounts should almost never be used.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "RestrictRootUser",
      "Effect": "Deny",
      "Action": "*",
      "Resource": "*",
      "Condition": {
        "StringLike": {
          "aws:PrincipalArn": "arn:aws:iam::*:root"
        }
      }
    }
  ]
}

4. Protect Security Tools

Ensure that users cannot disable CloudTrail, Config, or GuardDuty.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": [
        "cloudtrail:StopLogging",
        "cloudtrail:DeleteTrail",
        "guardduty:DeleteDetector",
        "config:StopConfigurationRecorder"
      ],
      "Resource": "*"
    }
  ]
}

5. Enforce IMDSv2

Prevent SSRF attacks by enforcing Instance Metadata Service Version 2.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "RequireImdsV2",
      "Effect": "Deny",
      "Action": "ec2:RunInstances",
      "Resource": "arn:aws:ec2:*:*:instance/*",
      "Condition": {
        "StringNotEquals": {
          "ec2:MetadataHttpTokens": "required"
        }
      }
    }
  ]
}

Testing SCPs Safely

Never apply a new SCP to the Root or a Production OU immediately. SCPs are powerful and can break applications instantly.

  1. Create a Sandbox OU: Place a test account here.
  2. Apply to Sandbox: Attach your new SCP.
  3. Test Access: Log in to the test account and verify that the restricted actions are indeed denied and valid actions are still allowed.
  4. Promote: Once verified, move the SCP to a Dev OU, then Staging, and finally Production.

Conclusion

SCPs are the bedrock of AWS multi-account governance. By implementing these core policies, you ensure a baseline of security that cannot be overridden, letting your developers build fast without breaking the rules.

You might also like

SecurityZero-TrustArchitecture+1

Zero-Trust Security Architecture for Modern SaaS

Building security from the ground up with zero-trust principles: identity-based access, device trust, and context-aware authorization.

13 min
SecurityComplianceSOC 2

The SOC 2 Compliance Journey: A Technical Guide

A deep dive into preparing your infrastructure and development practices for SOC 2 Type II certification, from gap analysis to continuous monitoring.

12 min
AWSVPCNetworking+1

AWS VPC Deep Dive: Production Networking That Scales

Master AWS VPC networking for production: subnets, route tables, NAT gateways, security groups, and network architecture patterns that scale securely.

14 min
Back to All Posts