Home Membership Courses Blog
About Contact

Understanding AWS Service Control Policies (SCPs) and the deny list and allow list strategies

all aws aws policies aws security Apr 02, 2024

Service Control Policies (SCPs) are part of AWS Organizations and provide a powerful way to manage permissions across your AWS accounts. Unlike Identity and Access Management (IAM) policies that grant permissions, SCPs act as guardrails. They define what actions users, roles, and even root accounts can and cannot do within the accounts of your AWS Organization.

SCPs enable you to apply permission policies to all accounts in an organization or specific organizational units (OUs), helping ensure compliance with your company's access policies and preventing unauthorized access to AWS services.

Getting Started with SCPs

Here’s a simple guide to start using SCPs in your AWS environment:

  1. Create an AWS Organization: If you haven't already, set up an AWS Organization from the AWS Management Console. This allows you to manage multiple AWS accounts easily.

  2. Enable Service Control Policies: From the AWS Organizations dashboard, enable SCPs. This action allows you to start defining and applying SCPs to your accounts and OUs.

  3. Define Your Policies: Create SCPs that specify the services and actions you want to allow or deny. AWS offers a policy editor and JSON format for policy creation.

  4. Attach Policies to Your Accounts or OUs: Once you've defined your SCPs, attach them to the desired accounts or OUs. Remember, SCPs do not grant permissions but restrict them. Ensure that your IAM roles and policies grant necessary permissions within the boundaries set by your SCPs.

  5. Test and Monitor: After applying SCPs, test your setup by trying to perform actions that should be allowed and denied. Use AWS CloudTrail and other monitoring tools to keep an eye on compliance and activity.

Deny List vs. Allow List Strategies

When it comes to SCPs, there are two main strategies for managing permissions: the deny list (blacklist) and allow list (whitelist). Here’s how they compare:

Deny List Strategy

  • Approach: Allows all actions by default, except those explicitly denied.
  • Use Case: Ideal when you want to enable broad access across your organization but need to restrict certain services or actions.
  • Pros: Flexibility and ease of allowing new services by default.
  • Cons: Can inadvertently allow access to unwanted services unless explicitly denied.

Allow List Strategy

  • Approach: Denies all actions by default, except those explicitly allowed.
  • Use Case: Best for highly sensitive environments where you must ensure that only specific, vetted services are accessible.
  • Pros: Greater security by limiting access to only necessary services and actions.
  • Cons: Requires thorough understanding of needed permissions and can be more challenging to manage.

Conclusion

SCPs offer a robust way to manage and secure your AWS environment by controlling access at the organization and account level. By choosing between a deny list and allow list strategy, you can tailor access controls to meet your specific security needs and operational requirements. Remember, the key to effective SCP management is understanding your organizational needs, regularly reviewing your policies, and adjusting as those needs change. Happy cloud computing!

Stay connected with news and updates!

Join our mailing list to receive the latest news and updates from our team.
Don't worry, your information will not be shared.

We hate SPAM. We will never sell your information, for any reason.

Recent Posts

Understanding TLS Termination with Load Balancers in AWS
all aws aws networking aws security
Apr 19, 2024
Understanding Load Balancing in AWS
all aws aws networking
Apr 18, 2024
A Beginner's Roadmap to Mastering AWS Networking
all aws aws networking roadmaps
Apr 08, 2024

Categories

All Categories all aws all azure amazon ec2 amazon s3 announcements aws aws architecture aws automation aws cloudhsm aws comparison 101 aws compute aws containers aws cost management aws developer tools aws devops aws feature 101 aws governance aws iam aws kms aws management tools aws messaging aws networking aws optimizations aws policies aws principles 101 aws recipes aws security aws serverless aws service 101 aws ssm aws storage aws tools 101 aws vpc azure networking azure security cloud computing ec2 security getting started multi-cloud roadmaps s3 security security updated
Lead Author @ Cloudericks Blogs

Heartin Kanikathottu

Principal Cloud Architect & Author

The Cloudericks blog posts are created and maintained by Heartin Kanikathottu and his team at Cloudericks with a bit of AI help. Heartin is an accomplished Cloud Architect and a prolific international author recognized globally, with one of his books being named all-time 8th best in cloud computing. Read more at heartin.github.io.

Want to ask doubts directly to Heartin and team?

Please become a Cloudericks member to join the KEWA group and ask any questions directly to Heartin and the Cloudericks team! You can also get access to our courses, cookbooks, quizzes, and the KEWA group!

Special Note: If you purchase any of Heartin's books related to cloud, ask for a complimentary membership to KEWA group. 

Explore Membership