AWS Organizations Service Control Policies
GPTKB entity
Statements (53)
Predicate | Object |
---|---|
gptkbp:instanceOf |
cloud computing policy
|
gptkbp:abbreviation |
gptkb:SCPs
|
gptkbp:appliesTo |
gptkb:AWS_Organizations
organizational units individual AWS accounts |
gptkbp:attachedTo |
gptkb:bank
gptkb:organization gptkb:root |
gptkbp:canBe |
granting permissions
restricting permissions |
gptkbp:canBeManagedBy |
organization administrators
|
gptkbp:canDeny |
specific AWS service actions
|
gptkbp:cannotBeAppliedTo |
service-linked roles
AWS root user external accounts |
gptkbp:cannotBeManagedBy |
member account users
|
gptkbp:cannotGrant |
permissions not allowed by SCP
|
gptkbp:cannotOverride |
AWS service-level restrictions
|
gptkbp:capacity |
5,120 characters per policy
|
gptkbp:compatibleWith |
permissions by themselves
|
gptkbp:controls |
permissions for AWS accounts
|
gptkbp:documentation |
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html
|
gptkbp:enables |
least privilege principle
security best practices compliance enforcement centralized permission management |
gptkbp:enforcedBy |
gptkb:AWS_Organizations
|
gptkbp:enforcementScope |
all users and roles in an account
|
https://www.w3.org/2000/01/rdf-schema#label |
AWS Organizations Service Control Policies
|
gptkbp:introducedIn |
2017
|
gptkbp:maximumPoliciesPerAccount |
5
|
gptkbp:policy |
gptkb:JSON
FullAWSAccess JSON policy |
gptkbp:policyAttachmentLimit |
5 per account or OU
|
gptkbp:policyEffect |
restricts maximum permissions
|
gptkbp:policyEvaluation |
all attached SCPs are evaluated
|
gptkbp:policyEvaluationOrder |
SCPs evaluated before IAM policies
|
gptkbp:policyInheritance |
policies inherited from parent OUs
|
gptkbp:provides |
gptkb:Amazon_Web_Services
|
gptkbp:purpose |
define maximum available permissions
restrict AWS service actions set permission guardrails |
gptkbp:relatedTo |
gptkb:AWS_Organizations
IAM policies Resource-based policies Permission Boundaries |
gptkbp:scope |
multi-account
organization-wide |
gptkbp:supports |
allow and deny statements
|
gptkbp:worksWith |
IAM policies
|
gptkbp:bfsParent |
gptkb:AWS_EventBridge
|
gptkbp:bfsLayer |
6
|