Posted On: Mar 25, 2019

Starting today, you can use Service Control Policies (SCPs) to set permission guardrails with the fine-grained controls used in AWS Identity and Access Management (IAM) policies. This makes it easier to meet the specific requirements of your organization’s governance rules. The new policy editor in the AWS Organizations console makes it easier to author SCPs by guiding you to add actions, resources, and conditions.  

AWS Organizations helps you centrally govern your environment as you grow and scale your workloads on AWS. Central security administrators use SCPs with AWS Organizations to establish access controls that all IAM principals (users and roles) adhere to. Now, using SCPs, you can specify Conditions, Resources, and NotAction to deny access across accounts in your organization or organizational unit. For example, you can use SCPs to restrict access to specific AWS Regions, or prevent deleting common resources, such as an IAM role used for your central administrators.

To get started with SCPs, visit the AWS Organizations console. You can use SCPs in any AWS region that supports AWS Organizations. To learn more about SCPs, visit the Service Control Policies documentation.