How can I increase the SCP character size limit or number of SCPs for an AWS Organization?

3 minute read
0

I want to increase the character limit for service control policies (SCPs) or attach more SCPs to an entity in an AWS Organization.

Resolution

The AWS Organizations service has a hard limit of five SCPs per account.

Use these methods to reduce the number of SCPs directly attached to an account to allow for additional restrictions in an Organization.

  • Consolidate multiple SCPs into a single SCP
  • Use SCP inheritance in the organizational unit's (OU) hierarchy

Consolidate multiple SCPs into a single SCP

Use this method if the size of the SCP is less than the policy size limit of 5,120 bytes.

Follow these recommendations to reduce the SCP size limit:

  • Review your SCPs and remove any duplicate permissions. For example, put all actions with the same Effect and Resource elements in one statement instead of in multiple statements.
  • Remove any unnecessary element such as the statement ID (Sid) because that element counts against the total number of characters allowed.
  • Use wildcards for actions with the same suffixes or prefixes. For example, the actions ec2:DescribeInstances, ec2:DescribeTags, and ec2:DescribeSubnets can be combined as ec2:Describe*.
    Important: Using wildcards can create additional security risks in an Organization. Wildcards grant broad permissions, often for multiple resources. They can grant unintended permissions for users and roles in your Organization. Never apply permissions using this method to AWS Lambda functions. Be sure that you use wildcards only after performing due diligence.

Use SCP inheritance in the OU hierarchy

The five SCPs limit doesn't include SCPs that are inherited from the parent. You can use the inheritance structure of SCPs for OUs and member accounts to distribute SCPs across multiple OUs. For example, to deny IAM users or roles with your Organization's member accounts from accessing AWS services, set up your Organization structure like this example:

Root    <--- 1 full access SCP (1 directly attached)  
 |
OU1     <--- 1 full access, 4 deny SCPs (5 directly attached, 1 inherited)
 |
OU2     <--- 1 full access, 4 deny SCPs (5 directly attached, 6 inherited)
 |
Account <--- 1 full access, 4 deny SCPs (5 directly attached, 11 inherited)
 |
Bob

Permissions that are filtered by SCPs at each node of an Organization hierarchy are the intersection of directly attached and inherited SCPs. In this example, the AWS Identity and Access Management (IAM) user Bob in a member account has full access minus the services denied by the 12 deny-based SCPs. This approach is scalable because the maximum number of nested OUs that you can have within your Organization hierarchy is five. For more information, see SCP evaluation and Quotas for AWS Organizations.

Related information

Strategies for using SCPs

AWS OFFICIAL
AWS OFFICIALUpdated 5 months ago