Concepts
SCPs are JSON policies that specify the maximum permissions for an organization or organizational unit (OU). They help administrators ensure that accounts within the AWS Organization comply with company-wide policies. SCPs do not grant permissions; instead, they limit what actions users and roles can perform within each account.
SCP Example:
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Deny”,
“Action”: “s3:*”,
“Resource”: “*”
}
]
}
This SCP prevents all users, roles, and groups in affected accounts from performing any actions on Amazon S3 resources.
Understanding Permissions Boundaries
Permissions Boundaries are a way to delegate administration tasks and securely manage permissions. By setting a permissions boundary, you can limit the maximum permissions that an IAM role or user can have. They are different from SCPs, as they are set at an individual IAM user or role level, rather than at the account level.
Permissions Boundary Example:
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Action”: [
“ec2:Describe*”,
“ec2:StartInstances”,
“ec2:StopInstances”
],
“Resource”: “*”
}
]
}
This permissions boundary allows a user or role to describe, start, and stop EC2 instances, but does not allow them to terminate instances or create new ones.
Validating SCPs and Permissions Boundaries
When validating SCPs and Permissions Boundaries you should follow several steps:
- Review the JSON Policy: Ensure that the SCP or permissions boundary JSON document is written correctly and adheres to the proper policy grammar.
- Simulate Policy Permissions: Use the AWS IAM Policy Simulator or the
simulate-principal-policyAPI action to test and confirm how your policies and boundaries will actually behave. This can help you avoid potential issues or unexpected permissions restrictions. - Check Effective Permissions: Remember that the effective permissions are a combination of what is granted in IAM policies and what is allowed by SCPs and permissions boundaries. AWS permissions are evaluated with a logical AND, so all policies must allow an action before it can be taken.
- Audit Periodically: Use services like AWS CloudTrail and AWS Config to perform audits of your SCPs and permissions boundaries to ensure compliance over time.
- Use AWS Organizations to Manage SCPs: Utilize the features of AWS Organizations to apply SCPs across multiple accounts more easily and to centrally manage your organization.
| Comparison | Service Control Policies (SCPs) | Permissions Boundaries |
|---|---|---|
| Scope | Account-level within AWS Organization | Individual IAM user or role |
| Purpose | To set the maximum permissions for an account | To delegate administrative tasks safely |
| Enforcement | Automatically applies to all IAM entities | Must be explicitly attached to IAM entities |
| Does not | Grant permissions | Grant permissions |
| Application | Organization-wide policy enforcement | Role/user-specific permission limitation |
Conclusion
Validating SCPs and permissions boundaries is a critical step to ensuring your AWS environment’s security and compliance. By understanding the difference between these two features and following best practices for policy simulation and auditing, administrators can effectively manage permissions within their AWS Organization. As part of the AWS Certified SysOps Administrator – Associate exam preparation, you should familiarize yourself with how to apply, validate, and troubleshoot these permission layers.
Answer the Questions in Comment Section
True/False: Service Control Policies (SCPs) apply to all IAM users and roles in the accounts they are attached to.
- True
- False
Answer: True
Explanation: SCPs are a type of policy that you can use to manage permissions in your AWS Organization. They apply to all IAM users and roles in the member accounts to which the SCPs are attached, as well as to the root user of those accounts.
What does an AWS Permissions Boundary do?
- Limits the maximum permissions an IAM user or role can have.
- Grants an IAM user permission to assume a role.
- Removes all permissions from an IAM user or role.
- Overrides the permissions set by the attached IAM policies.
Answer: Limits the maximum permissions an IAM user or role can have.
Explanation: A permissions boundary is an advanced feature for using a managed policy to set the maximum permissions that an identity-based policy can grant to an IAM user or role.
True/False: SCPs can grant permissions to entities in the AWS accounts they affect.
- True
- False
Answer: False
Explanation: SCPs don’t grant permissions; instead, they are used as filters to limit the permissions that IAM policies can grant to entities within an AWS account that is part of an AWS Organization.
Which AWS feature enables you to validate policies against IAM users and roles?
- AWS Trusted Advisor
- AWS Access Analyzer
- AWS IAM Simulator
- AWS Organizations
Answer: AWS IAM Simulator
Explanation: AWS IAM Simulator allows you to test and validate your IAM policies to understand the effect of permission changes before they are applied.
True/False: Permissions boundaries are used to isolate resources within an AWS account.
- True
- False
Answer: False
Explanation: Permissions boundaries are used to control the maximum permissions that an IAM policy can grant to an IAM user or role, not to isolate resources within an AWS account.
Which of the following statements is true about SCPs and permissions boundaries?
- SCPs can enforce permissions boundaries.
- Only SCPs can set permissions boundaries.
- SCPs and permissions boundaries serve the same purpose.
- Permissions boundaries can restrict the permissions that IAM policies grant even when SCPs allow broader access.
Answer: Permissions boundaries can restrict the permissions that IAM policies grant even when SCPs allow broader access.
Explanation: Permissions boundaries enable you to set the maximum permissions that an IAM policy can grant to an IAM user or role, which can be more restrictive than what the SCPs allow.
True/False: Using SCPs effectively can help prevent privilege escalation within an AWS account.
- True
- False
Answer: True
Explanation: SCPs can define and enforce guardrails for IAM permissions, helping to prevent privilege escalation by ensuring that users do not receive permissions beyond what the SCPs allow.
In an AWS Organization, service control policies (SCPs) can be applied at which of the following levels?
- Root level only
- Organizational unit (OU) level only
- Account level only
- Both root level and organizational unit (OU) level
Answer: Both root level and organizational unit (OU) level
Explanation: SCPs can be applied at the root level, affecting all OUs and accounts under it, or they can be applied directly to an OU or an individual account within the organization.
True/False: Once you apply a permissions boundary to an IAM user, the user can execute any action permitted by their assigned IAM policies, regardless of the boundary.
- True
- False
Answer: False
Explanation: The permissions boundary acts as a ceiling for IAM permissions. An IAM user can only execute actions that are allowed by both their IAM policies and the permissions boundary.
The ____ is the tool you would use to test how SCPs and permissions boundaries affect access to resources in your AWS account.
- IAM policy simulator
- Access Advisor
- SCP evaluation tool
- IAM access analyzer
Answer: IAM policy simulator
Explanation: The IAM policy simulator is the tool to test and validate the effects of SCPs, IAM policies, and permissions boundaries.
True/False: An SCP that allows all actions (*) will automatically override any more restrictive permissions boundaries set at the IAM user or role level.
- True
- False
Answer: False
Explanation: SCPs define guardrails but do not grant permissions. Even if an SCP allows all actions, the permissions boundary on a user or role will still limit the effective permissions.
When should you use AWS Access Analyzer for validating SCPs and permissions boundaries?
- Before you apply any policies.
- To review existing policies for unintended access.
- After you delete policies only.
- You cannot use AWS Access Analyzer for SCPs or permissions boundaries.
Answer: To review existing policies for unintended access.
Explanation: AWS Access Analyzer is used for reviewing existing policies to identify the resources in your organization and accounts, such as S3 buckets or IAM roles, that are shared with an external entity. This can help ensure that the policies you set, like SCPs and permissions boundaries, do not inadvertently provide broader access than intended.
This blog post on validating SCPs and permission boundaries for the SOA-C02 exam is a lifesaver!
I agree! Understanding SCPs is critical for the exam. Any tips on how to get more hands-on experience?
Does anyone know if AWS CloudFormation templates can be used to automate SCPs and permission boundaries?
Great post, thanks for sharing!
How do SCPs and permission boundaries differ in their applications?
I think the blog could have used more examples. It’s a bit abstract for beginners.
Thanks, this helped me understand the difference between policies!
Any expert here can explain how SCPs affect service-specific actions?