Tip #12: Use an AWS SCP (Service Control Policy) to limit service access

The best practice for large AWS accounts is to use AWS Organizations and to set up separate AWS accounts for separate workflows.

AWS organizations, by default, attach to the root of an AWS Organization FullAWSAccess AWS managed policy, allowing any AWS Organization account access to any service, any action, in any AWS region. 

Allowing everybody to launch any type of resource may not be cost-effective, as inexperienced users tend to poorly choose the resource type for their workloads resulting in unnecessary costs.

Fortunately, AWS Organizations allows you to set up AWS Service Control Policies (SCPs) which deny AWS access to undesired services, actions, or regions.

We recommend setting up these AWS SCP examples:

1. Prevent users from changing or deleting key IAM roles, IAM policies, and resources created according to the baseline requirements – for example, logging services such as AWS CloudWatch, VPC Flow Logs, AWS Config, AWS GuardDuty, or AWS CloudTrail.
2. Enforce encryption – all storage resources should use encryption. For example, create AWS SCP policies to prevent creating EBS or S3 bucket volumes if they are unencrypted.
3. Restrict services to only a few AWS regions – your organization is likely to use just a few AWS regions to make most of the cost savings (Savings Plans, Reserved Instances, Volume Discounts etc.). Use an AWS SCP policy to deny creation of any resource in any AWS region you have not chosen.
4. Restrict the list of allowed EC2 / RDS instance types to launch – for example, the hourly costs of  on-demand costs for a Windows EC2 instance varies from $0.008100 to $129.808000. The wrong choice of the instance type will result in unnecessarily excessive bills. See the sample SCP for forbidding certain EC2 instance types from launching.
5. Restrict the list of allowed services to use – you should proactively enable only the services required for each project and enable only certain setups. For example, one can mistakenly create a DynamoDB table with provisioned capacity and upfront costs of hundreds of thousands of USD.

Note: you can also limit the allowed services / actions / regions using IAM Policies, but SCPs are a better practice.