Removing the default FullAWSAccess SCP

  • By default, an SCP named FullAWSAccess is attached to every root, OU, and account and it allows all actions and all services.

  • By removing the default FullAWSAccess SCP, all actions for all services are now implicitly denied.

  • To use SCPs as a whitelist, you must replace the AWS-managed FullAWSAccess SCP with an SCP that explicitly permits only those services and actions that you want to allow.

  • Your custom SCP then overrides the implicit Deny with an explicit Allow for only those actions that you want to permit.

PreviousSwitch from one IAM role to anotherNextActive Directory Trust Relationships

Last updated