AWS Service Control Policies (SCPs): Securely Managing Multi-Account Environments

Primary Users

Large Enterprises with Multiple AWS Accounts
Finance, healthcare, government, and retail organizations depend on SCPs to impose security and compliance policies on hundreds or thousands of AWS accounts.

Managed Service Providers (MSPs)
MSPs utilize SCPs to govern multi-tenant AWS environments, imposing guardrails and baseline security policies on client accounts.

Cloud Center of Excellence (CCoE) and Governance Teams
Cloud governance teams use SCPs to enforce organization-wide policies that provide consistent control over what services and actions accounts can perform.

Example
A multinational financial organization with 500+ AWS accounts employs SCPs to limit regions, turn off non-approved services, and apply encryption policies to all accounts to achieve PCI DSS compliance.

AWS Service Control Policies (SCPs) are AWS Organizations features through which you can set permission guardrails. SCPs dictate the maximum permissions an AWS account may have. SCPs do not provide permissions but limit what permissions IAM users and roles can take advantage of, irrespective of their own IAM policies.

Key Features and Benefits

Centralized Control: Set permissions across several AWS accounts in an organization or organizational unit (OU).
Deny or Allow Actions: Utilize explicit deny or allow lists to manage access to AWS resources and services.
Enforcement of Compliance and Governance: Keep accounts in compliance with security requirements.
Granular Control by OU: Implement policies at the root, OU, or account level for hierarchical control.
No Impact on AWS Management Account: SCPs do not lock account actions in the management (master) account by default.

Example
A medical professional employs SCPs to disallow all actions in AWS regions that are not HIPAA compliant, keeping the data in compliance regions.

Ideal Use Cases

Multi-Account Scenarios
Apply baseline security and governance rules across departments, teams, or business units.

Regulatory Compliance
Implement industry compliance mandates (e.g., GDPR, HIPAA, PCI DSS) by limiting accounts to particular regions, encryption options, or compliant services.

Least Privilege Enforcement
Prevent accounts from accessing unnecessary services by implementing deny-by-default policies and providing access on a case-by-case basis.

Avoid Human Error
Limit the use of services that may cause unforeseen expenses or create security risks.

Adoption Best Practices

Utilize Deny Statements for High-Risk Actions
Deny actions like deleting CloudTrail logs, disabling encryption, or disabling GuardDuty.

Structure Accounts into OUs
Establish organizational units (OUs) for sandbox, development, and production environments and implement SCPs accordingly.

Test SCPs in a Staging Environment
Implement SCPs on sandbox accounts initially before they are rolled out to production.

Example
A multi-AWS account university uses SCPs to prohibit the use of non-approved services so that students and researchers remain within the cloud governance framework of the organization.

Architectural Fit

SCPs have effects at the account level, imposing organization-wide permissions. SCPs are a central part of AWS Organizations and are widely utilized in:

Multi-Account Strategies: Single governance in organizations dealing with multiple AWS accounts.
Landing Zones: Critical to AWS Control Tower landing zones for policy enforcement automation.
Hybrid and Multi-Cloud Architectures: Standardize governance in large, complex architectures where AWS is an integral part of a broader cloud ecosystem.

Example 1: Secure Production Environment
A retail business maintains strict SCPs within its prod OU, excluding activities such as IAM role establishment, CloudTrail removal, and usage of unsupported AWS regions.

Example 2: Research and Development Sandbox
An energy organization permits higher tolerance in its R&D OU with temporary use capabilities but enforces SCPs against excessive-cost items such as GPU-based instances.

Key Benefits

Enforce Governance at Scale
SCPs enable simple guardrails to be applied to hundreds or thousands of AWS accounts with consistency.

Compliance Enforcement
Assists with ensuring compliance requirements by blocking unauthorized services, regions, or actions.

Reduce Security Risk
SCPs block unintentional or malicious behavior, including the disabling of security services or the erasure of audit logs.

Cost Control
Block services and resources that consume unnecessary or high costs, including high-cost EC2 instance types or unauthorized data transfer regions.

Example
An international insurance provider utilized SCPs to enforce encryption on all data storage services (e.g., S3, EBS, RDS) to fulfill their GDPR requirements and prevent expensive compliance penalties.

Step 1: Activate AWS Organizations and SCPs
Create an AWS Organization in your management account.
Turn On All Features in AWS Organizations to enable SCPs.

Step 2: Plan Organizational Units (OUs)
Organize accounts by environment type (i.e., Production, Development, Sandbox).
Use SCPs at the OU level for effective management.

Step 3: Design and Attach SCPs
Implement policies in JSON format.
Begin with Allow List or Deny List SCPs.
Attach SCPs to OUs or individual accounts.

Step 4: Monitor and Audit SCPs
Utilize CloudTrail and AWS Config to monitor policy changes and compliance.
Consult IAM Access Analyzer for unauthorized permissions.

Step 5: Iterate and Optimize
Test SCPs on staging accounts before rolling organization-wide.
Regularly review and refresh SCPs as business requirements evolve.

Example
A pharmaceutical organization used SCPs to limit access to AI/ML services for development environments. They tested them in staging, then enforced policies across production accounts to have controlled use of AI/ML resources for clinical data.

Use Case 1: Enforcing Compliance in a Financial Institution

Problem
A bank required imposing PCI DSS compliance on 200 AWS accounts, limiting usage to approved regions and services.

Solution
Defined OUs for development, sandbox, and production environments.
Linked SCPs to prevent non-approved regions from being accessed and prohibiting encryption services from being disabled.
Implemented compulsory CloudTrail logging and GuardDuty enablement.

Outcome
Obtained PCI DSS certification.
Decreased security incidents by 40%.
Simplified audit procedures with uniform policy enforcement.

Use Case 2: Controlling Costs for a SaaS Provider

Problem
A SaaS company battled runaway expense in sandbox accounts, where developers were launching expensive EC2 instances and idle resources.

Solution
Developed SCPs to prevent the use of high-priced instance families (e.g., P4, Inf1).
Prevented the creation of unapproved services such as Redshift in dev environments.
Enabled critical services (e.g., Lambda, DynamoDB) for low-expense development.

Result
Decreased sandbox environment expense by 55%.
Increased developer understanding of cost limitations.
Applied cost control without affecting development speed.

1. What is an AWS Service Control Policy (SCP)?
An SCP is a JSON policy document within AWS Organizations that specifies the highest permissions accessible to accounts within an AWS Organization.

Example:
An SCP that prohibits all actions outside of regions us-east-1 and eu-west-1.

2. Do SCP grant permissions?
No. SCPs do not provide permissions; they limit what permissions IAM users and roles can apply.

Example:
An IAM policy can permit S3 access, but since the SCP rejects S3 activities, users can't execute S3 operations.

3. Is it possible to apply SCPs to specific AWS accounts?
Yes. SCPs can be associated with specific accounts, OUs, or the whole organization.

Example:
A sandbox account has an SCP that disallows RDS access but grants S3 and Lambda.

4. Are SCPs applied to the AWS management account?
SCPs do not limit the management account by default. You need to enable SCPs for the management account explicitly if necessary.

Example:
An organization enabled SCPs for the management account to avoid unintentional deletion of organizational logs.

5. How are SCPs different from IAM policies?
IAM policies provide permissions at the user/role level, whereas SCPs define account-level permission boundaries.

Example:
An IAM user with administrative access within an account cannot override an SCP denying some actions.

6. Are SCPs able to enforce encryption?
Yes. SCPs can deny actions on resources where encryption isn't turned on.

Example:
An SCP denying the creation of unencrypted S3 buckets in all accounts.

7. How do I validate SCPs before putting them into production?
Implement them on sandbox or non-prod accounts, or with AWS Control Tower for automated testing of governance.

Example:
A business implemented SCPs in its dev OU before deployment to production.

8. Can SCPs prevent accidental data loss?
Yes. SCPs can deny actions such as the deletion of CloudTrail logs or the termination of crucial EC2 instances.

Example:
An SCP denies the s3:DeleteBucket action to avoid deleting significant data buckets.

9. How do SCPs assist with cost management?
Block the use of costly services and limit high-cost instance types in development accounts.

Example:
A SaaS vendor blocked EC2 p4d instances in sandbox accounts with SCPs, reducing unnecessary expenses.

AWS Service Control Policies (SCPs) are a key governance instrument for securing and managing multi-account AWS environments. They assist businesses in enforcing security, lowering expenses, and sustaining compliance across remote teams and workloads.

Implementing SCPs allows you to normalize security controls, restrict the blast radius, and make governance at scale simpler.

Ready to deploy AWS SCPs in your organization?
Reach out to us today for a free consultation on AWS multi-account governance and SCP best practices!