- Newest
- Most votes
- Most comments
When you create AWS organization, by default FullAWSAccess SCP gets created and attached to all accounts in an organization and this can not be edited but can be detached from any of the member accounts. This can only be detached if there is one other SCP already attached to that account.
Here is the content of that default SCP FullAWSAccess:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
Any action that isn't explicitly allowed by an SCP is implicitly denied and can't be delegated to users or roles in the affected accounts.
Reference: AWS SCP Inheritance
SCP doesn't grant anything but it's a guardrail, which is used to allow everything(Doesn't grant) and then deny specific resources/services based on condition.
Refer SCP permissions effect for additional details.
If you haven't already gone through this Policy Evaluation Logic doc and Permissions Chart, which you'd find super helpful to see how does this evaluation work.
Hope you find this useful.
Abhishek
This chart explains how these policies are evaluated, Determining whether a request is allowed or denied within an account.
Relevant content
- asked 4 years ago
- Accepted Answerasked a year ago
- asked 18 days ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
Do you have any additional question, please feel free to comment. Happy to help.