Creating, updating, and deleting service control policies

Sign in to the Amazon Organizations console. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization’s management account.

On the Service control policies page, choose Create policy.

On the Create new service control policy page, enter a Policy name and an optional Policy description.

(Optional) Add one or more tags by choosing Add tag and then entering a key and an optional value. Leaving the value blank sets it to an empty string; it isn't null. You can attach up to 50 tags to a policy. For more information, see Tagging Amazon Organizations resources.

To build the policy, your next steps vary depending on whether you want to add a statement that denies or allows access. For more information, see SCP evaluation. If you use Deny statements, you have additional control because you can restrict access to specific resources, define conditions for when SCPs are in effect, and use the NotAction element. For details about syntax, see SCP syntax.

To add a statement that denies access:

1. In the right Edit statement pane of the editor, under Add actions, choose an Amazon service.

   As you choose options on the right, the JSON editor updates to show the corresponding JSON policy on left.

2. After you select a service, a list opens that contains the available actions for that service. You can choose All actions, or choose one or more individual actions that you want to deny.

   The JSON on the left updates to include the actions you selected.

   Note

   If you select an individual action and then also go back and also select All actions, the expected entry for servicename/* is added to the JSON, but the individual actions that you previously selected are left in the JSON and not removed.

3. If you want to add actions from additional services, you can choose All services at the top of the Statement box, and then repeat the previous two steps as needed.

4. Specify resources to include in the statement.

   • Next to Add a resource, choose Add.

   • In the Add resource dialog, choose the service whose resources you want to control from the list. You can select from among only those services you selected in the previous step.

   • Under Resource type, choose the type of resource you want to control.

   • Finally, complete the Amazon Resource Name (ARN) in Resource ARN to identify the specific resource to which you want to control access. You must replace all placeholders that are surrounded by curly braces {}. You can specify wild cards (*) where that resource type's ARN syntax permits. See the documentation for a specific resource type for information about where you can use wild cards.

   • Save your addition to the policy by choosing Add resource. The Resource element in the JSON reflects your additions or changes. The Resource element is required.

   Tip

   If you want to specify all resources for the selected service, either choose the All resources option in the list, or edit the Resource statement directly in the JSON to read "Resource":"*".

5. (Optional) To specify conditions that limit when a policy statement is in effect, next to Add condition, choose Add.

   • Condition key – From the list you can choose any condition key that is available for all Amazon services (for example, aws:SourceIp) or a service-specific key for only one of the services that you selected for this statement.

   • Qualifier – (Optional) If you provide multiple values for the condition (dependent on the specified condition key), you can specify a qualifier for testing requests against the values.

     • Default – Tests a single value in the request against the condition key value in the policy. The condition returns true if the value in the request matches the value in the policy. If the policy specifies more than one value then they are treated as an "or" test, and the condition returns true if the request values matches any of the policy values.

     • For any value in a request – When the request can have multiple values, this option tests whether at least one of the request values matches at least one of the condition key values in the policy. The condition returns true if any one of the key values in the request matches any one of the condition values in the policy. For no matching key or a null dataset, the condition returns false.

     • For all values in a request – When the request can have multiple values, this option tests whether every request value matches a condition key value in the policy. The condition returns true if every key value in the request matches at least one value in the policy. It also returns true if there are no keys in the request, or if the key values resolve to a null data set, such as an empty string.

   • Operator – The operator specifies the type of comparison to make. The options that are presented depend on the data type of the condition key. For example, the aws:CurrentTime global condition key lets you pick from any of the date comparison operators, or Null, which you can use to test whether the value is present in the request.

     For any condition operator except the Null test, you can choose the IfExists option.

   • Value – (Optional) Specify one or more values for which you want to test the request.

   Choose Add condition.

   For more information about condition keys, see IAM JSON Policy Elements: Condition in the IAM User Guide.

6. (Optional) To use the NotAction element to deny access to all actions except those specified, replace Action in the left pane with NotAction, just after the "Effect": "Deny", element. For more information, see IAM JSON Policy Elements: NotAction in the IAM User Guide.

To add a statement that allows access:

1. In the JSON editor on the left, change the line "Effect": "Deny" to "Effect": "Allow".

   As you choose options on the right, the JSON editor updates to show the corresponding JSON policy on the left.

2. After you select a service, a list opens that contains the available actions for that service. You can choose All actions, or choose one or more individual actions that you want to allow.

   The JSON on the left updates to include the actions you selected.

   Note

   If you select an individual action and then also go back and also select All actions, the expected entry for servicename/* is added to the JSON, but the individual actions that you previously selected are left in the JSON and not removed.

3. If you want to add actions from additional services, you can choose All services at the top of the Statement box, and then repeat the previous two steps as needed.

(Optional) To add another statement to the policy, choose Add statement and use the visual editor to build the next statement.

When you're finished adding statements, choose Create policy to save the completed SCP.

Sign in to the Amazon Organizations console. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization’s management account.

On the Service control policies page, choose the name of the policy that you want to update.

On the policy's detail page, choose Edit policy.

Make any or all of the following changes:

When you're finished, choose Save changes.

Sign in to the Amazon Organizations console. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization’s management account.

On the Service control policies page choose the name of the policy with the tags that you want to edit.

On the policy details page, choose the Tags tab, and then chooseManage tags.

Make any or all of the following changes:

When you're finished, choose Save changes.

Sign in to the Amazon Organizations console. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization’s management account.

On the Service control policies page, choose the name of the SCP that you want to delete.

You must first detach the policy that you want to delete from all roots, OUs, and accounts. Choose the Targets tab, choose the radio button next to each root, OU, or account that is shown in the Targets list, and then choose Detach. In the confirmation dialog box, choose Detach. Repeat until you remove all targets.

Choose Delete at the top of the page.

On the confirmation dialog box, enter the name of the policy, and then choose Delete.