Posted On: Oct 9, 2023
Starting today, you can use Service Control Policies (SCPs) to set permission guardrails with the fine-grained controls used in Amazon Identity and Access Management (IAM) policies in the Amazon Web Services China (Beijing) Region, operated by Sinnet and the Amazon Web Services China (Ningxia) Region, operated by NWCD. This makes it easier to meet the specific requirements of your organization’s governance rules. The policy editor in the Amazon Organizations console makes it easy to author SCPs by guiding you to add actions, resources, and conditions.
Amazon Organizations helps you centrally govern your environment as you grow and scale your workloads on Amazon Web Services Cloud. Central security administrators use SCPs with Amazon Organizations to establish access controls that all IAM principals (users and roles) adhere to. Now, using SCPs, you can control what the principals in your organization can access across accounts in your organization or organizational unit. For example, you can use SCPs to restrict access to only resources in your organization (using aws:ResourceOrgID), or prevent deleting common resources, such as an IAM role used for your central administrators.
To get started with SCPs, visit the Amazon Organizations console. You can use SCPs in any Amazon Web Services regions that supports Amazon Organizations, including the Amazon Web Services China (Beijing) Region, operated by Sinnet and the Amazon Web Services China (Ningxia) Region, operated by NWCD. To learn more about SCPs, visit the Service Control Policies documentation, read the blog “How to use service control policies to set permission guardrails across accounts in your Amazon Organization,” and “Get more out of service control policies in a multi-account environment.”