awesome-service-control-policies

Awesome AWS service control policies (SCPs), resource control policies (RCPs), and organizational policies in general (service control, resource control, declarative, ai opt out, backup, tagging)

Inspired by many other awesome lists!

terraform modules

service control policies

• ScaleSec/terraform_aws_scp
• trussworks/terraform-aws-ou-scp
• cloudposse/terraform-aws-service-control-policies
• Appsilon/terraform-aws-ou-scp
• timurgaleev/terraform-aws-organization-scp
• welldone-cloud/aws-scps-for-sandbox-and-training-accounts
• latacora/latacora-service-control-policies

IAM helpers

• aws_iam_policy_document - Useful terraform data source to build a policy and minify it using attribute minified_json. For example data.aws_iam_policy_document.default.minified_json.
• phzietsman/terraform-aws-policy-packer - reduce size of IAM policy

policy stores

• primeharbor/aws-service-control-policies
• https://asecure.cloud/l/scp/
• https://github.com/aws-samples/resource-control-policy-examples
• https://github.com/aws-samples/service-control-policy-examples

reference architecture

• aws-samples/aws-scps-with-terraform

blogs

• AWS security blog tag: service control policies
• Dec 1 2024 - Simplify governance with declarative policies
• Nov 13 2024 - Introducing resource control policies (RCPs), a new type of authorization policy in AWS Organizations
• Oct 9 2023 - What is AWS SCP (Service Control Policy) and How does it Help with Permissions?
• Jul 29 2023 - What are AWS Service Control Policies (SCPs)
• Jun 17 2022 - More about AWS Service Control Policies (SCP)
• Mar 25 2020 - AWS SCP Best Practices

Limits

• Policies do not affect users or roles in the management/root account. They affect only the member accounts in your organization.
• Policies have a maximum of 5 policies that can be attached to root/ou/account. ¹
• Policies have a maximum character limit of 5120 characters. ¹
• Policies do not affect service linked roles.
• member accounts cannot query which policies are applied to them ²
• Denied actions show that it was blocked by a service control policy but will not show which one in the error or in cloudtrail. ²
• No audit or evaluation mode for SCPs and other policies. ²

related projects

• https://ramimac.github.io/wiki/scps/
• https://summitroute.com/blog/2020/03/25/aws_scp_best_practices/#aws-wishlist

references

• List of expensive actions
• ACM SCPs
• AWS Service Control Policy Examples
• Service control policies (SCPs)
• Terraform and OpenTofu registry search for scp

Footnotes

1. Quotas and service limits for AWS Organizations ↩ ↩²

2. SummitRoute's SCP Best Practices AWS Wishlist ↩ ↩² ↩³