52 lines
1.4 KiB
Markdown
52 lines
1.4 KiB
Markdown
---
|
||
id: service-control-policies
|
||
title: "Service Control Policies (SCPs)"
|
||
type: concept
|
||
tags:
|
||
- AWS
|
||
- Policy
|
||
- Governance
|
||
last_updated: 2026-04-18
|
||
---
|
||
|
||
## Summary
|
||
AWS Organizations 的策略类型之一,用于集中管理组织内所有账户的最大可用权限。
|
||
|
||
## Definition
|
||
Service Control Policies (SCPs) 是 AWS Organizations 的一种策略类型,用于设置组织内所有账户的最大权限边界。它们不允许授予权限,而是限制可用的权限范围。
|
||
|
||
## Key Attributes
|
||
- **类型**:组织策略
|
||
- **作用域**:组织单元(OU)或单个账户
|
||
- **效果**:Allow(允许)或 Deny(拒绝)
|
||
- **优先级**:仅拒绝(Deny)策略优先于 Allow 策略
|
||
|
||
## Use Cases
|
||
- 实施标签规范,阻止创建不带标签的 EC2 实例
|
||
- 限制特定区域的资源部署
|
||
- 防止删除关键资源(如 CloudTrail、VPC Flow Logs)
|
||
|
||
## Examples
|
||
```json
|
||
{
|
||
"Version": "2012-10-17",
|
||
"Statement": [
|
||
{
|
||
"Effect": "Deny",
|
||
"Action": [
|
||
"ec2:RunInstances"
|
||
],
|
||
"Resource": ["arn:aws:ec2:*:*:instance/*"],
|
||
"Condition": {
|
||
"StringEquals": {
|
||
"aws:RequestTag/CostCenter": "absent"
|
||
}
|
||
}
|
||
}
|
||
]
|
||
}
|
||
```
|
||
|
||
## Related Concepts
|
||
- [[Multi-Account Strategy]]:SCPs 是多账号策略的一部分
|
||
- [[Gruntwork Landing Zone]]:Gruntwork Landing Zone 使用 SCPs 实施治理 |