Service Control Policies (SCPs) and Permissions boundaries are two essential AWS features that every candidate preparing for the AWS Certified SysOps Administrator – Associate (SOA-C02) exam needs to understand. SCPs and permission boundaries are used in AWS to control access to AWS services and resources.
I. Service Control Policies (SCPs)
Service Control Policies (SCPs) are a type of organization policy that you can use to manage permissions in your organization. SCPs provide central control over the maximum available permissions for all accounts in your organization.
An SCP is a JSON policy that specifies the maximum permissions for an organization or organizational unit (OU). When you attach an SCP to an OU, the SCP restricts the permissions of all the accounts in that OU. For example, an SCP could prevent or limit the actions that can be performed by an account in the OU.
Example of an SCP that denies any AWS action (except for viewing and listing in the AWS Management Console, CLI, and SDKs) on AWS resources in any AWS Region other than the Asia Pacific (Sydney) Region:
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Sid”: “DenyAllOutsideSydneyRegion”,
“Effect”: “Deny”,
“NotAction”: “iam:CreateServiceLinkedRole”,
“Resource”: “*”,
“Condition”: {
“StringNotEquals”: {
“aws:RequestedRegion”: “ap-southeast-2”
}
}
}
]
}
II. Permissions boundaries
A permissions boundary is an advanced feature for using a managed policy to set the maximum permissions that an identity-based policy can grant to an IAM entity. An entity’s permissions boundary allows it to perform only the actions that are allowed by both its identity-based policies and its permissions boundaries.
For example, to control the maximum permissions for a newly created IAM role, a permissions boundary could be applied to it. This boundary restricts the total permissions that the role can have, regardless of which permissions are granted to the role through its IAM policies.
Below is an example of a managed policy, which might be used as permissions boundary:
{
“Version”: “2012-10-17”,
“Statement”: {
“Effect”: “Allow”,
“Action”: [“s3:ListBucket”,
“s3:GetObject”,
“s3:PutObject”,
“s3:DeleteObject”],
“Resource”: “*”
}
}
Comparing SCPs and Permission Boundaries:
| SCPs | Permissions Boundaries | |
|---|---|---|
| Usage | Used to set the maximum permissions for an organization or organizational unit (OU). | Used to set the maximum permissions that an identity-based policy can grant to an IAM entity. |
| Types of Policies | Can be attached to an organization, root, OUs, or accounts. | Can be applied to the IAM roles. |
| Restriction | Defines what actions are allowed or denied by all IAM users and roles in the attached accounts. | Determines the maximum permissions an IAM role can have. |
It’s important to note that both SCPs and permission boundaries serve as mechanisms for limiting permissions in AWS, but they do so in different contexts. Service Control Policies are typically used at an organizational level to ensure that members cannot circumvent the limitations set by the administrator, while permission boundaries provide fine-grained control over individual IAM roles. An understanding of both these elements would prove highly beneficial when taking the AWS Certified SysOps Administrator – Associate (SOA-C02) exam.
Practice Test
True or False: An AWS account can only have a single service control policy associated with it at any given time.
- True
- False
Answer: False
Explanation: AWS allows multiple service control policies to be associated with an account, all SCPs set on an account applies at the same time.
Which of the following components is NOT part of a service control policy (SCP)?
- a. Statement
- b. Resource
- c. Action
- d. Effect
Answer: b. Resource
Explanation: The elements of a service control policy (SCP) are statement, action and effect. There is no resource element in SCP.
True or False: A permission boundary in AWS controls maximum permissions that can be granted to an IAM user or role.
- True
- False
Answer: True
Explanation: Permission boundaries determine the maximum permissions that an identity-based policy can grant to an IAM entity (user or role).
Which of the following statements is TRUE about Service Control Policies (SCPs)?
- a. SCPs deny permissions.
- b. SCPs allow permissions.
- c. SCPs are IAM policies.
- d. SCPs are not IAM policies.
Answer: a. SCPs deny permissions.
Explanation: SCPs do not grant permissions, they only define what permissions are not allowed.
True or False: IAM policies and SCPs are evaluated separately in AWS.
- True
- False
Answer: True
Explanation: IAM policies and SCPs are evaluated separately in AWS. First, the SCPs take effect, then IAM policies are evaluated.
Multiple select: Which items can you validate in Service Control Policies (SCPs)?
- a. IAM role permissions
- b. Resource tag permissions
- c. IAM user permissions
- d. S3 bucket policies
Answer: a. IAM role permissions, c. IAM user permissions
Explanation: SCPs allow for validation of IAM role permissions and IAM user permissions but not resource tag permissions or S3 Bucket Policies.
True or False: You can set a permissions boundary for an IAM group.
- True
- False
Answer: False
Explanation: Permissions boundaries can be set for IAM users or roles, but not groups.
Single select: In AWS Organizations, what happens if there are no SCPs attached to an account?
- a. All actions are denied.
- b. All actions are allowed.
- c. Some actions are allowed.
- d. The account is disabled.
Answer: b. All actions are allowed.
Explanation: If there are no service control policies attached to an AWS Account, all actions are allowed.
True or False: SCPs enable whitelist or blacklist access for AWS services.
- True
- False
Answer: True
Explanation: SCPs allow administrators to define blacklist (explicit deny) or whitelist (explicit allow) access for AWS services.
Single Select: SCPs are evaluated before which of the following?
- a. IAM Permission policies
- b. IAM Identity Policies
- c. IAM Role Policies
- d. All of the above
Answer: d. All of the above
Explanation: AWS first evaluates the SCPs and then moves on to evaluate IAM permission policies, IAM identity policies, and IAM role policies.
Interview Questions
What is the primary use-case of Service Control Policies (SCPs) in AWS?
SCPs are primarily used to set fine-grained permissions and to manage permissions in AWS Organizations. They establish the maximum permissions for an organization or organizational unit (OU).
What is the maximum number of SCPs that can be associated with an AWS organization?
You can associate up to five SCPs directly with an AWS organization.
What is a permissions boundary in AWS?
A permissions boundary is an advanced feature in IAM that sets the maximum permissions that an identity-based policy can grant to an IAM entity (user or role).
How does an SCP affect the permissions of an AWS IAM user?
The permissions of an IAM user are determined by the intersection of the user’s IAM identity-based policies and the SCPs associated with the user’s account. If the IAM identity-based policies grant a permission, then the SCP must also allow that permission. If either the IAM policies or SCP does not allow the action, it cannot be performed by the user.
Can you attach an SCP directly to an IAM user or role?
No, SCPs can only be attached to an AWS organization, organizational unit, or an account. They indirectly affect IAM users and roles due to the restrictions they might impose on the permissions those entities can have.
What happens if no SCPs are associated with an organizational unit in AWS?
If no SCPs are directly associated with an organizational unit, then AWS implicitly applies a full AWS Management Console and API access policy, allowing the organizational unit to access all services and actions.
How does a permissions boundary affect an IAM role?
The permissions a role has are defined by the intersection of the permissions policy and the permissions boundary. The role can only have access to actions allowed by both documents. If either one denies an action, the role cannot perform that action.
Can a service control policy (SCP) deny all service actions for your AWS organization?
Yes, an SCP can explicitly deny all service actions across your AWS organization.
Can you attach a permissions boundary to an AWS IAM group?
No, permission boundaries can only be attached to users and roles, not groups.
If you delete a service control policy (SCP), what will happen to the AWS accounts it was attached to?
When an SCP is deleted, it is automatically detached from all AWS accounts it was attached to. The accounts will no longer be affected by the permissions defined in the SCP.
If a permissions boundary allows an action, can an IAM user perform that action?
An IAM user can only perform an action if both their permissions policies and permissions boundary allow it. If either one denies the action, then the user cannot perform it.
Is it possible to use service control policies (SCPs) to delegate permissions to IAM users?
No, SCPs do not delegate permissions. Instead, they define a maximum set of permissions for all the accounts within an organization or Organizational Units. They limit permissions that IAM identity-based policies or resource-based policies grant to entities (users or roles) within the account.
Do service control policies (SCPs) support explicit ‘allow’ statements?
Yes, SCPs support both ‘allow’ and ‘deny’ statements, but ‘deny’ statements take precedence over ‘allow’ statements.
What is the effect of the AWS managed policy named ‘FullAWSAccess’ on SCPs?
The ‘FullAWSAccess’ managed policy allows all actions on all resources, effectively bypassing any limitations put in place by SCPs.
Do Permissions Boundaries affect the permissions of a resource-based policy?
No, Permissions boundaries do not affect a resource-based policy; They limit the maximum permissions an entity can have only when used with an IAM permissions policy.
extutorials.com