1. What are SCPs (Service Control Policies)?
Service Control Policies (SCPs) are a feature of AWS Organizations, which is a service that helps you centrally manage and govern multiple AWS accounts as a single entity. SCPs are essentially policy documents that allow you to set fine-grained permissions and restrictions at the organizational level. These policies define what actions (API operations) are allowed or denied for accounts within the organization, effectively helping you control what each account can do.
2. What are Service-Linked Roles?
Service-linked roles are specific AWS Identity and Access Management (IAM) roles created and managed by AWS services. These roles are predefined by the service and have a well-defined set of permissions and a purpose. AWS services use these roles to interact with other AWS resources securely.
3. How SCPs Interact with Service-Linked Roles:
The statement “SCPs DO NOT affect any service-linked role” emphasizes that Service Control Policies do not apply to or impact service-linked roles in any way. These roles are exempt from the restrictions imposed by SCPs. Here’s why:
- Integration with AWS Services: Service-linked roles are created to allow AWS services to integrate with AWS Organizations. These services need specific permissions to perform organizational tasks, like joining accounts to the organization or associating accounts with policies.
- Limited and Managed by AWS: The permissions and policies associated with service-linked roles are predefined and managed by AWS, ensuring that the services have the necessary access without being restricted by your custom SCPs.
- Unaffected by Custom Policies: Even if you have stringent SCPs that restrict certain API operations for your AWS accounts, those restrictions do not extend to the service-linked roles. The service-linked roles maintain their predefined permissions, enabling the smooth functioning of the AWS services’ organizational tasks.
In summary, SCPs provide control and governance over the actions AWS accounts can perform within your organization. However, they are not designed to affect or restrict the permissions of service-linked roles, as these roles are essential for AWS services to seamlessly integrate and manage organizational aspects. It’s important to understand that while SCPs offer fine-grained control, they do not interfere with the predefined roles used by AWS services to facilitate their functions within AWS Organizations.