100 Days of AWS — Day 6— AWS Organizations — Part 2

To view the complete course, please enroll it using the below link(it’s free)

https://www.101daysofdevops.com/courses/100-days-of-aws/

Welcome to Day 6 of 100 Days of AWS. The topic for today is AWS Organizations — Part 2. On Day 5, you have learned about AWS Organizations https://www.101daysofdevops.com/courses/100-days-of-aws/lessons/day-5-aws-organizations-part-1 / today. We are going to explore Service Control Policies(SCP).

Companies that have multiple AWS accounts often run into problems like how to set different policies to restrict what users can do. This is where we can use Service Control Policies(SCP) to enable access control at the account level.

NOTE: Service Control Policy never grants permissions.

Example Service Control Policy denies access to EC2 and S3 resources.

{
 "Version": "2012-10-17",
 "Statement": [
  {
   "Sid": "DenyEC2andS3",
   "Effect": "Deny",
   "NotAction": [
    "ec2:*",
    "s3:*"
   ],
   "Resource": [
    "*"
   ],
   "Condition": {
    "*"
   }
  }
 ]
}

Let’s see the above example in action.

• Go to the AWS Organizations https://us-east-1.console.aws.amazon.com/organizations/v2/home/ , click on Policies and make sure Service control policies are enabled.

• Click on the Service control policies, and on the new page, click on Create policy.

• Give your policy some name and copy-paste the above example policy. At the bottom of the page, click on Create policy.

• Go back to the Service control policies page, select the policy, and under the Actions drop-down, select Attach policy.

• Select the account where you want to Attach the policy. After selecting the account, click on Attach policy.

• Now go to the account(DevAcc) and try to create an S3 bucket or EC2 instance. You will see this error.

NOTE: All the root, OUs, and accounts are attached with a default SCP FullAWSAccess that allows all actions and services.

and it look like this

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "*",
      "Resource": "*"
    }
  ]
}

• Also, there must be at least one attached policy at the root level. To detach the FullAWSAccess SCP, you must need to create and attach another SCP that has at least minimal access.

NOTE: The master account cannot be restricted using Service Control Policies(SCP).