Using Service Control Policies in Stax
Service control policies (SCPs) allow you to manage permissions within your Organization. Stax allows you to create and attach SCPs to your Organization, Organizational Units (OUs) and Accounts. In addition, Stax attaches several default SCPs to entities within your Organization in order to protect Stax resources and maintain the integrity of the platform. These SCPs cannot be removed.
Considerations
-
SCPs cannot be attached to root. This is reserved for Stax-managed SCPs, which are attached to root to protect Stax-provisioned resources and configurations that provide critical security services and controls. Stax-managed SCPs are also attached to the Securityand Loggingaccounts.
-
Stax allows you to attach SCPs to your Organization. When you attach SCPs to your Organization, Stax attaches the respective SCPs to every OU within your Organization. Any accounts that exist within the root will not inherit the permissions of the SCPs attached to your Organization.
-
If you have previously used Account Types for attaching SCPs to accounts, the SCPs will now appear as direct account attachments, rather than attached to Account Types. Stax no longer supports attaching SCPs to Account Types.
-
Stax only allows you to utilise the Deny list strategy with SCPs. By default, all actions are allowed.
-
If you wish to attach an SCP to your Organization, you must first remove all existing attachments of that SCP via the Detach an SCP flow below. To detach an SCP from your Organization and attach that SCP to individual entities, you must first remove the organization attachment for that SCP via the Detach an SCP flow below.
Before You Begin
-
Ensure you are a member of the Admin role in your Stax tenancy
-
Stax recommends that you manage OUs and their associated SCPs from within Stax. At this point in time, Stax does not maintain a data sync between AWS and Stax. Therefore, if you make updates to OUs and SCPs from within AWS, these will not be reflected within Stax.
Create an SCP
-
Log in to the Stax Console
-
Select Organization
-
Click Service Control Policies in the sub-menu
-
Click Create Policy
-
Provide the required information
-
Click Create
Edit an SCP
-
Log in to the Stax Console
-
Select Organization
-
Click Service Control Policies in the sub-menu
-
Select the Policy you would like to edit
-
Click Actions
-
Click Edit Policy in the dropdown
-
Make the required changes and click Save
Delete an SCP
-
Log in to the Stax Console
-
Select Organization
-
Click Service Control Policies in the sub-menu
-
Select the Policy you would like to delete
-
Click Actions
-
Click Delete in the dropdown
-
Click Yes, Delete in the pop-up modal
Attach an SCP
-
Log in to the Stax Console
-
Select Organization
-
Click Service Control Policies in the sub-menu
-
Select the Policy you would like to attach an entity to
-
Click the edit icon in the Attachments table
-
Tick the checkbox of entity you would like to attach the policy to - Organization, OU(s) or Account(s)
-
Click Save
Detach an SCP
-
Log in to the Stax Console
-
Select Organization
-
Click Service Control Policies in the sub-menu
-
Select the Policy you would like to attach an entity to
-
Click the edit icon in the Attachments table
-
Untick the checkbox of the entity you would like to detach the policy from - Organization, OU(s) or Account(s)
-
Click Save
Add Tags to an SCP
-
Log in to the Stax Console
-
Select Organization
-
Click Service Control Policies in the sub-menu
-
Select the Policy you would like to attach an entity to
-
Click the edit icon in the Tags table
-
Enter a Tag Name and Tag Value, then click Add
-
Click Save
Remove Tags from an SCP
-
Log in to the Stax Console
-
Select Organization
-
Click Service Control Policies in the sub-menu
-
Select the Policy you would like to attach an entity to
-
Click the edit icon in the Tags table
-
Click the x icon next to the tag to be deleted
-
Click Save