Auto-sync: 2026-04-29 04:03
This commit is contained in:
87
wiki/concepts/Service-Control-Policy.md
Normal file
87
wiki/concepts/Service-Control-Policy.md
Normal file
@@ -0,0 +1,87 @@
|
||||
---
|
||||
title: "Service Control Policy"
|
||||
type: concept
|
||||
tags:
|
||||
- AWS
|
||||
- Security
|
||||
- Governance
|
||||
- Multi-Account
|
||||
last_updated: 2026-04-14
|
||||
---
|
||||
|
||||
## Definition
|
||||
AWS Service Control Policy(SCP,服务控制策略)是 AWS Organizations 中的一种策略类型,用于在组织单元(OU)或账户级别设置权限边界,限制成员账户可以使用的服务和操作。
|
||||
|
||||
## Key Characteristics
|
||||
|
||||
| 特性 | 描述 |
|
||||
|------|------|
|
||||
| **层级** | 组织级别(OU/账户),不覆盖 IAM 用户/角色 |
|
||||
| **效果** | Deny > Allow(显式拒绝优先) |
|
||||
| **评估逻辑** | 所有策略(SCP + IAM + 资源策略)取交集 |
|
||||
| **范围** | 仅限 AWS Organizations 中使用 |
|
||||
|
||||
## SCP vs IAM Policy
|
||||
|
||||
| 维度 | SCP | IAM Policy |
|
||||
|------|-----|------------|
|
||||
| **层级** | 组织/账户 | 用户/角色/资源 |
|
||||
| **默认效果** | 无限制(默认 FullAWSAccess) | 显式 Allow |
|
||||
| **继承** | 向下继承,OU 子级继承父级 SCP | 附加到身份/资源 |
|
||||
| **谁能修改** | Organization 管理账户 | IAM 管理员 |
|
||||
|
||||
## Common Use Cases
|
||||
|
||||
### 1. 限制Regions
|
||||
```json
|
||||
{
|
||||
"Version": "2012-10-17",
|
||||
"Statement": [
|
||||
{
|
||||
"Sid": "DenyNonApprovedRegions",
|
||||
"Effect": "Deny",
|
||||
"NotAction": "*",
|
||||
"Resource": "*",
|
||||
"Condition": {
|
||||
"StringNotEquals": {
|
||||
"aws:RequestedRegion": ["us-east-1", "eu-west-1"]
|
||||
}
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
```
|
||||
|
||||
### 2. 强制标签合规
|
||||
SCP 可封禁未按要求添加特定标签(如 `OT_Environment`)的账户创建新资源。
|
||||
|
||||
### 3. 阻止敏感服务
|
||||
```json
|
||||
{
|
||||
"Effect": "Deny",
|
||||
"Action": ["s3:*"],
|
||||
"Resource": "*"
|
||||
}
|
||||
```
|
||||
|
||||
## Connection to Tagging Standards
|
||||
|
||||
OpenText 标签标准中提到,未来可能通过 SCP 强制执行 99% 打标率 KPI:
|
||||
- 要求所有云账户启用 OT_ 前缀标签
|
||||
- 拒绝未满足标签要求的资源创建请求
|
||||
- 与 [[Resource-Tagging]] 和 [[OpenText-Tagging-Standard]] 协同
|
||||
|
||||
## Security Best Practices
|
||||
|
||||
1. **最小权限原则**:始终从最严格开始,逐步放宽
|
||||
2. **测试环境优先**:在非生产 OU 测试 SCP 效果
|
||||
3. **FullAWSAccess 策略**:新 OU 默认允许全部,需显式限制
|
||||
4. **定期审计**:检查 SCP 是否影响新 AWS 服务/功能
|
||||
|
||||
## Connections
|
||||
- [[AWS-Organizations]] — SCP 是 AWS Organizations 的核心功能
|
||||
- [[Multi-Cloud-Governance]] — SCP 是跨账户治理的 AWS 实现
|
||||
- [[OpenText-Tagging-Standard]] — SCP 用于强制执行标签合规性
|
||||
|
||||
## References
|
||||
- [[public-cloud-learning-sessions-tagging-standards-for-all-hyperscalers-20240123-1]]
|
||||
Reference in New Issue
Block a user