AWS Organizations Service Control Policies
GPTKB entity
Statements (53)
| Predicate | Object |
|---|---|
| gptkbp:instanceOf |
cloud computing policy
|
| gptkbp:abbreviation |
gptkb:SCPs
|
| gptkbp:appliesTo |
gptkb:AWS_Organizations
organizational units individual AWS accounts |
| gptkbp:attachedTo |
gptkb:bank
gptkb:organization gptkb:root |
| gptkbp:canBe |
granting permissions
restricting permissions |
| gptkbp:canBeManagedBy |
organization administrators
|
| gptkbp:canDeny |
specific AWS service actions
|
| gptkbp:cannotBeAppliedTo |
service-linked roles
AWS root user external accounts |
| gptkbp:cannotBeManagedBy |
member account users
|
| gptkbp:cannotGrant |
permissions not allowed by SCP
|
| gptkbp:cannotOverride |
AWS service-level restrictions
|
| gptkbp:capacity |
5,120 characters per policy
|
| gptkbp:compatibleWith |
permissions by themselves
|
| gptkbp:controls |
permissions for AWS accounts
|
| gptkbp:documentation |
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html
|
| gptkbp:enables |
least privilege principle
security best practices compliance enforcement centralized permission management |
| gptkbp:enforcedBy |
gptkb:AWS_Organizations
|
| gptkbp:enforcementScope |
all users and roles in an account
|
| https://www.w3.org/2000/01/rdf-schema#label |
AWS Organizations Service Control Policies
|
| gptkbp:introducedIn |
2017
|
| gptkbp:maximumPoliciesPerAccount |
5
|
| gptkbp:policy |
gptkb:JSON
FullAWSAccess JSON policy |
| gptkbp:policyAttachmentLimit |
5 per account or OU
|
| gptkbp:policyEffect |
restricts maximum permissions
|
| gptkbp:policyEvaluation |
all attached SCPs are evaluated
|
| gptkbp:policyEvaluationOrder |
SCPs evaluated before IAM policies
|
| gptkbp:policyInheritance |
policies inherited from parent OUs
|
| gptkbp:provides |
gptkb:Amazon_Web_Services
|
| gptkbp:purpose |
define maximum available permissions
restrict AWS service actions set permission guardrails |
| gptkbp:relatedTo |
gptkb:AWS_Organizations
IAM policies Resource-based policies Permission Boundaries |
| gptkbp:scope |
multi-account
organization-wide |
| gptkbp:supports |
allow and deny statements
|
| gptkbp:worksWith |
IAM policies
|
| gptkbp:bfsParent |
gptkb:AWS_EventBridge
|
| gptkbp:bfsLayer |
6
|