Fortifying Your Security Baseline with Service Control Policies

Enhance your AWS security by using Service Control Policies (SCPs) to protect your security baseline. Learn best practices and use cases in this comprehensive guide.
TL;DR - Learn how Service Control Policies (SCPs) can protect your AWS security baseline by preventing unauthorized changes and enhancing overall security.

Maintaining a security baseline in AWS accounts is crucial for ensuring consistent and secure configurations across your organization. Service Control Policies (SCPs) provide a powerful tool to enforce this baseline and protect your AWS environment from accidental or malicious changes.

What is a Security Baseline?

A security baseline is the initial configuration of an AWS account that should always remain consistent. This configuration often includes enabling services like CloudTrail and GuardDuty, setting up specific IAM roles, and ensuring certain security measures are in place. Maintaining this baseline helps protect your accounts from unauthorized modifications and ensures a standard level of security across your organization.

General Guidance for SCPs

SCPs are policies that you can use to manage permissions in your AWS Organization. They enable you to control what actions can be performed in the accounts within your organization. Here are some best practices for creating and managing SCPs:

  • Combine Policies: You are limited in the number of SCPs you can use, so combine multiple policies into a single SCP with separate statements.
  • Be Cautious: SCPs are powerful but can create usability issues if not used carefully. Avoid creating too many exception cases.
  • Provide Visibility: Use tools like Delegated Administrator for AWS Organizations to give engineers visibility into the SCPs affecting their accounts.
Free Assessment

Use Cases for SCPs

Protecting IAM Roles

IAM roles are a critical part of your security baseline. Use SCPs to prevent unauthorized modifications to these roles. Here’s an example policy:

Protecting AWS Services

Protect services like CloudTrail and GuardDuty from being disabled or modified. Here’s an example policy:

Preventing Accounts from Leaving

Prevent accounts from leaving the organization to avoid circumventing SCPs:

Preventing Root Access

Restrict root user actions to mitigate account takeover risks:


Implementing SCPs is a powerful way to protect your AWS security baseline. By preventing unauthorized changes, you can ensure your accounts remain secure and compliant with your organization’s standards. Regularly review and update your SCPs to adapt to new threats and changes in your environment.


What is the difference between SCPs and IAM policies?
SCPs control what actions can be performed in the accounts within your AWS Organization, while IAM policies manage permissions within individual accounts.
Can SCPs be used to manage permissions across multiple AWS accounts?
Yes, SCPs are applied at the organization level and can manage permissions across all accounts within the organization.
What are the limitations of SCPs?
SCPs cannot grant permissions; they can only restrict actions. Additionally, they do not apply to service-linked roles.
How can I monitor the effectiveness of my SCPs?
Regular audits and monitoring tools can help ensure that your SCPs are effectively enforcing your security baseline.
What should I do if an SCP conflicts with a legitimate business requirement?
Review the SCP to see if it can be adjusted or if an exception can be made without compromising security.

Never miss an update.

Subscribe for spam-free updates and articles.
Thanks for subscribing!
Oops! Something went wrong while submitting the form.