Organizations SCPs

Definition

Organizations Service Control Policies (SCPs) are a feature in AWS Organizations that allow administrators to manage permissions across multiple AWS accounts in a centralized manner. SCPs define the maximum permissions for member accounts in an organization, ensuring that no user or role can exceed these permissions, regardless of the policies attached directly to them. SCPs are applied at the organizational unit (OU) or account level and are used to enforce compliance and security standards across all accounts under an organization.

Secure Settings Example

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "*",
      "Resource": "*",
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      }
    }
  ]
}

This SCP denies all actions if the request is not using secure transport (HTTPS), ensuring that data is encrypted in transit.

Insecure Settings Example

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "*",
      "Resource": "*"
    }
  ]
}

This SCP allows all actions on all resources, effectively providing no restrictions and undermining the security posture by not enforcing any compliance or security standards.