What is a Service Control Policy (SCP) and how does it affect permissions for an AWS account?

Sharpen your skills for the AWS Certified Solutions Architect Professional Exam. Dive into flashcards, multiple choice questions, each with detailed explanations and hints. Perfect your knowledge and get ready to ace the AWS exam!

Multiple Choice

What is a Service Control Policy (SCP) and how does it affect permissions for an AWS account?

SCPs set the maximum permissions for any actions in the accounts they’re attached to. They act as guardrails, not as a way to grant access. In practice, an action is allowed only if it is permitted by both an IAM policy attached to the principal and by the SCP attached to the account (SCPs can explicitly deny or simply not include an action). If the SCP blocks or does not include a permission, the action is denied regardless of IAM permissions.

For example, if an IAM policy would allow listing an S3 bucket but the SCP for that account denies s3:ListBucket, you won’t be able to list the bucket. SCPs are applied at the AWS Organizations level to a specific organizational unit or account, affecting all identities within that scope. They are not used to grant permissions, nor do they replace IAM policies.

What is a Service Control Policy (SCP) and how does it affect permissions for an AWS account?

Sharpen your skills for the AWS Certified Solutions Architect Professional Exam. Dive into flashcards, multiple choice questions, each with detailed explanations and hints. Perfect your knowledge and get ready to ace the AWS exam!

What is a Service Control Policy (SCP) and how does it affect permissions for an AWS account?

Get the latest from Passetra