But most customers stick to one or a handful of them.
Restrict use of unapproved AWS regions. Ideally the root account should not be used after initial setup Prevent root account activity or access key creation. Ideally having external documentation on effective SCP for every account helps when dealing with a large number of OUs and/or accounts. If you need help with this, feel free to reach out to me (promise to not do sales pitch 🙂). I also highly recommend using the AWS Control Tower. So why not use it and build a good governance foundation.įor customers that currently have a handful of AWS accounts, it is trivial to create a new management account and add the existing accounts to it. AWS Organizations and Control Tower are free of cost. Within a single account, one can build network isolation to segregate environments, but identity and access management and controlling cross environment resource access becomes tricky. Which means these customers are not taking advantage of SCPs. Some AWS accounts that were created before AWS Organizations was released, did not migrate to using AWS Organizations. I see start-up and some enterprise customers using a single account and not creating AWS Organizations. 
SCPs are critical whether you have one account or many. But nowadays some organizations have hundreds of accounts. Everything was done using IAM and conditions keys. With a single account, there was no need for service control policies. AWS Control Towner (Landing Zone) and AWS Organizations made it easy to build accounts that are specific for organizational units, environments or for special purposes.
Back in the day, various environments (dev, test, production, etc.) were cluttered within a single AWS account. AWS Organizations and Service Control Policies (SCP) play a crucial role in security, compliance and governance.
0 kommentar(er)
