Hierarchical Policies AWS Accounts
With AWS Organizations, one can create a top level organization to contain multiple accounts. Under a top level Org, multiple OUs can be defined.
So, you could have segmentation based on ‘Executive OU’, ‘Financial OU’ etc..Policies applied at the OU level would be inherited by all accounts within that OU.
Policies and OUs
Policies are enabled only after you enable all features in your organization. You can apply policies to the following entities in your organization:
-
A root – A policy applied to a root applies to all accounts in the organization
-
An OU – A policy applied to an OU applies to all accounts in the OU and to any child OUs
-
An account – A policy applied to an account applies only to that one account
Service control policies
Service control policies (SCPs) are similar to IAM permission policies and use almost the exact same syntax. However, an SCP never grants permissions. Instead, think of an SCP as a “filter” that enables you to restrict what service and actions can be accessed by users and roles in the accounts that you attach the SCP to. An SCP applied at the root cascades its permissions to the OUs below it.
Anuj holds professional certifications in Google Cloud, AWS as well as certifications in Docker and App Performance Tools such as New Relic. He specializes in Cloud Security, Data Encryption and Container Technologies.
Anuj Varma – who has written 1216 posts on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.
Leave a Reply