SCP Explorer

    Interactive documentation for AWS Service Control Policies (SCPs) with implementation examples and validation scenarios.

    What are SCPs?

    Service Control Policies explained

    Service Control Policies (SCPs) are a type of organization policy that you can use to manage permissions across your AWS organization. SCPs offer central control over the maximum available permissions for all accounts in your organization, allowing you to ensure your accounts stay within your organization's access control guidelines.

    Why Use SCPs?

    Benefits of implementing SCPs

    SCPs help you enforce critical security controls, ensure compliance with organizational policies, restrict access to specific AWS services or regions, and prevent accounts from leaving your organization. They provide a powerful defense-in-depth layer in your AWS security strategy.

    Available SCP Examples

    Deny Access Analyzer Operations

    Restricts access to AWS IAM Access Analyzer operations, only allowing access from security roles.

    Restrict EC2 Instance Types

    Restricts EC2 instance launches to specific instance types, preventing users from launching larger, more expensive instance types.

    Region Restriction

    Denies all operations outside of specified AWS regions, helping enforce geographic data boundaries.

    IAM Access Key Restriction

    Restricts who can create IAM access keys, allowing them only for automation roles to reduce credential sprawl.

    Athena Read-Only Access

    Allows read-only access to Athena queries and S3 data, enabling data analysis while preventing modifications.

    CloudTrail Protection

    Prevents tampering with CloudTrail logs by blocking attempts to delete trails, update configurations, or stop logging.

    CloudWatch Protection

    Prevents deletion of critical CloudWatch logs and alarms, ensuring your monitoring infrastructure remains intact.

    Restrict Console Administrative Actions

    Prevents manual creation of IAM users and policy attachments through the console, ensuring these actions are only performed through approved automation.

    Tag Enforcement

    Requires specific tags on all EC2 instances and RDS databases, ensuring proper resource categorization and cost allocation.

    Team-Based S3 Access

    Restricts S3 operations to principals tagged with specific team identifiers, implementing role-based access control for data resources.

    RDS Deletion Protection

    Prevents the deletion of RDS database instances, providing an additional layer of protection for your critical database infrastructure.

    S3 Encryption Requirement

    Enforces server-side encryption for all S3 uploads, ensuring all data is encrypted at rest for compliance and security.

    S3 Public Access Prevention

    Prevents S3 buckets from being configured with public access, reducing the risk of accidental data exposure.

    KMS Key Protection

    Prevents deletion or disabling of KMS keys, protecting the encryption infrastructure that secures your data.

    Principal-Based Environment Access

    Ensures that only principals with the appropriate environment tag can access resources, enforcing environment segregation.

    Deny S3 Bucket Deletion

    Prevents deletion of S3 buckets except by specific infrastructure automation roles, providing protection against accidental data loss.

    Restrict KMS Key Encryption

    Allows encryption with a specific KMS key only when performed through an approved deployment pipeline role.

    S3 Bucket Policy Enforcement

    Requires all S3 bucket uploads to include server-side encryption, ensuring data at rest is always protected.

    CloudWatch Alarm Protection

    Prevents the deletion of critical CloudWatch alarms, ensuring that monitoring alerts are not accidentally removed.

    Auto Scaling Group Protection

    Restricts who can modify or delete Auto Scaling groups, ensuring that production scaling configurations are not changed without proper authorization.

    Lambda Function Protection

    Prevents unauthorized deletion or modification of Lambda functions, ensuring that critical application components remain intact.

    MFA Enforcement

    Requires MFA for sensitive operations, ensuring that critical actions like stopping EC2 instances are only performed by properly authenticated users.