Home › Forums › AWS › AWS Certified Solutions Architect Professional › SCPs and IAM policies for tags › Reply To: SCPs and IAM policies for tags
-
Hi juano1985,
Thanks for your feedback.
IAM policies and SCPs serve different purposes but can complement each other for enhanced security and management in AWS.
-
IAM Policy: An IAM policy is more granular and applies to users, groups, and roles within a specific AWS account. It allows or denies permissions to specific AWS services and resources and provides fine-grained control within an AWS account.
-
Service Control Policies (SCPs): An SCP is used at the organization level to set permission boundaries for all AWS accounts within the organization. It’s a way to centrally control the maximum available permissions for all accounts in your organization.
Having both allows for layered security – SCPs ensure organization-wide compliance with certain restrictions, while IAM policies provide detailed permissions within each account. So, even if an SCP restricts the
ec2:RunInstances
action across all accounts, having an IAM policy in each AWS account provides an additional layer of security by ensuring that the required tags are added at the account level. This way, even if the SCP were to be modified or removed, the IAM policy would still enforce the tagging requirement. Therefore, using SCPs and IAM policies together provides a more robust and flexible security configuration.Please refer to this: https://tutorialsdojo.com/service-control-policies-scp-vs-iam-policies/
I hope this helps! Let me know if you have any further questions.
Best Regards.
-