AWS organizations medium security documentation change
Summary
Updated SCP syntax examples, corrected formatting in tables, restructured policy examples (swapped allow/deny examples), added clarification about Resource element usage in Allow vs Deny statements, and reordered unsupported elements list.
Security assessment
The changes clarify security-critical SCP syntax restrictions (e.g., Resource element limitations in Allow statements) and correct policy examples that enforce regional restrictions and principal-based access. These updates directly impact how security controls are implemented through SCPs.
Diff
diff --git a/organizations/latest/userguide/orgs_manage_policies_scps_syntax.md b/organizations/latest/userguide/orgs_manage_policies_scps_syntax.md index 2dbc45f86..d5a6e7a56 100644 --- a//organizations/latest/userguide/orgs_manage_policies_scps_syntax.md +++ b//organizations/latest/userguide/orgs_manage_policies_scps_syntax.md @@ -30,3 +30,3 @@ Version | Specifies the language syntax rules to use for processing the policy. -Condition | Specifies conditions for when the statement is in effect. | `Allow`, `Deny` -NotAction | Specifies AWS service and actions that are exempt from the SCP. Used instead of the `Action` element. | `Allow`, `Deny` -Resource | Specifies the AWS resources that the SCP applies to. | `Allow`, `Deny` +Condition | Specifies conditions for when the statement is in effect. | `Allow,``Deny` +NotAction | Specifies AWS service and actions that are exempt from the SCP. Used instead of the `Action` element. | `Allow,``Deny` +Resource | Specifies the AWS resources that the SCP applies to. | `Allow,``Deny` @@ -156 +156 @@ You can specify a `Condition` element in allow and deny statements in an SCP. -The following example shows how to use a condition element with a deny statement in an SCP to restrict access to any operations outside the `eu-central-1` and `eu-west-1` Regions, except for actions in the specified services. +The following example shows how to use a condition element with an allow statement in an SCP to permit specific principals to access AWS services. @@ -163,4 +163,8 @@ The following example shows how to use a condition element with a deny statement - "Sid": "DenyAllOutsideEU", - "Effect": "Deny", - "NotAction": [ - "cloudfront:*", + "Sid":"AllowServicesForSpecificPrincipal", + "Effect":"Allow", + "Action":[ + "ec2:*", + "s3:*", + "rds:*", + "lambda:*", + "cloudformation:*", @@ -168,2 +172 @@ The following example shows how to use a condition element with a deny statement - "route53:*", - "support:*" + "cloudwatch:*" @@ -173,4 +176,3 @@ The following example shows how to use a condition element with a deny statement - "StringNotEquals": { - "aws:RequestedRegion": [ - "eu-central-1", - "eu-west-1" + "StringEquals":{ + "aws:PrincipalArn":[ + "arn:aws:iam::123456789012:role/specific-role" @@ -184 +186,7 @@ The following example shows how to use a condition element with a deny statement -The following example shows how to use a condition element with an allow statement in an SCP to permit specific principals to access AWS services. +The following example shows how to use a condition element with a deny statement in an SCP to restrict access to any operations outside the `eu-central-1` and `eu-west-1` Regions, except for actions in the specified services. + +JSON + + +**** + @@ -191,8 +199,4 @@ The following example shows how to use a condition element with an allow stateme - "Sid":"AllowServicesForSpecificPrincipal", - "Effect":"Allow", - "Action":[ - "ec2:*", - "s3:*", - "rds:*", - "lambda:*", - "cloudformation:*", + "Sid": "DenyAllOutsideEU", + "Effect": "Deny", + "NotAction": [ + "cloudfront:*", @@ -200 +204,2 @@ The following example shows how to use a condition element with an allow stateme - "cloudwatch:*" + "route53:*", + "support:*" @@ -204,3 +209,4 @@ The following example shows how to use a condition element with an allow stateme - "StringEquals":{ - "aws:PrincipalArn":[ - "arn:aws:iam::123456789012:role/specific-role" + "StringNotEquals": { + "aws:RequestedRegion": [ + "eu-central-1", + "eu-west-1" @@ -268,0 +276,2 @@ This statement in an SCP sets a guardrail to prevent affected accounts (where th +In statements where the `Effect` element has a value of `Allow`, you can specify only "*" in the `Resource` element of an SCP. You can't specify individual resource Amazon Resource Names (ARNs). + @@ -278 +287,7 @@ You can use wildcard characters such as asterisk (*) or question mark (?) in the -The following example shows how to use an SCP to prevent IAM users and roles in affected accounts from modifying a common administrative IAM role created in all accounts in your organization. +In statements where the `Effect` element has a value of `Deny`, you _can_ specify individual ARNs, as shown in the following example. + +JSON + + +**** + @@ -305,0 +321,3 @@ The following example shows how to use an SCP to prevent IAM users and roles in + +This SCP restricts IAM users and roles in affected accounts from making changes to a common administrative IAM role created in all accounts in your organization. + @@ -385,2 +402,0 @@ The following elements aren't supported in SCPs: - * `Principal` - @@ -388,0 +405,2 @@ The following elements aren't supported in SCPs: + * `Principal` +