SCP Introduction
Definition
Service control policies (SCPs) are a type of organization policy that you can use to manage permissions in your organization. The organization management account can use SCPs to limit which permissions can be assigned to member accounts to ensure that they stay within your organization's access control guidelines. SCPs can be attached to an organization, OUs, and member accounts. Any SCP attached to an organization or OU affects all the accounts within the organization or under the OU.
Helpful links:
- SCP Principles: SCP types, how SCPs work, inheritance of SCPs, and relationship between SCPs and IAM policies
- SCP Syntax: SCP structure and parameters
Testing SCP Effects
Before applying an SCP to your production environment, it is strongly recommended that you use test accounts in a test environment first to perform thorough system design and testing. This helps avoid any unpleasant surprises in the production environment. After the SCP has been fully verified in the test environment, you can create an OU and move one or a few accounts into it at a time, to ensure that the use of resources is not inadvertently interrupted.
Do not detach the system-defined SCP FullAccess unless you replace it with a custom policy with allowed actions. If you detach FullAccess and configure a custom policy with allowed actions, you must configure actions required by services as well as iamToken::* and signin::*.
- If you detach the FullAccess SCP from the root OU, the operations for all accounts in the organization will fail. Exercise caution when detaching the FullAccess SCP because this operation is very risky.
- If you detach the FullAccess SCP from an OU, the operations for the accounts in that OU and its lower-level OUs will fail.
- If you detach the FullAccess SCP from a member account, the operations for that account will fail.
Tasks Not Restricted by SCPs
You cannot use SCPs to restrict the following tasks:
- Any action performed by the organization management account or IAM users.
- Any action performed using permissions that are attached to a service-linked agency
- Any API calls made by SCP-unsupported cloud services to SCP-supported cloud services For SCP-supported cloud services and regions, see Cloud Services for Using SCPs and Regions for Using SCPs.
- Token obtained by APIs used for access to APIs of SCP-supported cloud services (in most cases).
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot