Skip to main content

Using Service Control Policies in Stax

Service control policies (SCPs) allow you to manage permissions within your Organization. Stax allows you to create and attach SCPs to your Organization, Organizational Units (OUs) and Accounts. In addition, Stax attaches several default SCPs to entities within your Organization in order to protect Stax resources and maintain the integrity of the platform. These SCPs cannot be removed.

Considerations

  • SCPs cannot be attached to root. This is reserved for Stax-managed SCPs, which are attached to root to protect Stax-provisioned resources and configurations that provide critical security services and controls. Stax-managed SCPs are also attached to the Security and Logging accounts.
  • Stax allows you to attach SCPs to your Organization. When you attach SCPs to your Organization, Stax attaches the respective SCPs to every OU within your Organization. Any accounts that exist within the root will not inherit the permissions of the SCPs attached to your Organization.
  • If you have previously used Account Types for attaching SCPs to accounts, the SCPs will now appear as direct account attachments, rather than attached to Account Types. Stax no longer supports attaching SCPs to Account Types.
  • Stax only allows you to utilise the Deny list strategy with SCPs. By default, all actions are allowed.
  • If you wish to attach an SCP to your Organization, you must first remove all existing attachments of that SCP via the Detach an SCP flow below. To detach an SCP from your Organization and attach that SCP to individual entities, you must first remove the organization attachment for that SCP via the Detach an SCP flow below.