• Related: Consolidating AWS accounts into an ‘Organization.

Amazon Web Service (AWS), is often used in a company organically. It might start with one or two departments using AWS for their own purposes. There will be pressure to establish controls to ensure that AWS is used in accordance with company policies. As I explained last week, you can link multiple AWS accounts together with a primary account by using the new AWS Organizations feature. While linking AWS accounts can provide oversight and consolidated billing, it is possible to establish some governance through service control policies. AWS does not automatically enable service control policies. Log in to AWS console and click on the AWS Organizations link. This link is located under the list of AWS Services. If you have created an AWS Organization already and added one or more accounts, you will now be able to see a list all accounts within the Organization. This screen has a number of tabs running along the top. Click on the Organize Accounts tab. You will see a message advising you that you must enable a policy type within this root before you can apply policies. Below this message is a list listing all possible policy types. The only policy type listed by default is a service control policies. Click on the Enable link just to the right side of the policy type to enable service control policies, as shown in Figure 1. Figure 1: To enable service control policies, click on the Enable button. It takes approximately a minute for AWS to activate service control policies. The console view will change slightly once the policies have been enabled. Figure 2 shows that the Policies section now includes a link to disable service control policies. You’ll also see a link to disable service control policy. Figure 2: The Policies section now has a link for Service Control Policies. Clicking on the Service Control Policies link will take you to a screen which displays the policies applicable to each account. Figure 3 shows, for example, that my account (which I only have) has inherited FullAWSAccess from the root level. This policy gives full access to AWS. [Click on the image to see a larger version.] Figure 3: My account inherits the FullAWSAccess policy. You may also notice that the list Of Policies Attached/Available doesn’t list any other policies. This is because we haven’t created any additional policies. You will see a tab called Policies at the top of your screen. Clicking on this tab will bring up a list all of the current policies. You will also see a button on this screen that allows you to create a new policy. [Click on the image to see a larger version.] Figure 4: To create a new policy, you can use the Create Policy tab. There are two ways to create a policy. You can copy an existing policy and modify it to suit your needs. You can also use the Policy Generator to create your own policy. The Policy Generator is very easy to use. To begin, you will need to enter a name and optional description for your policy. The policy’s overall effect must be specified. You can set the overall effect to Allow or Deny. Next, add a list to the policy. If you set the overall effect to Deny then any services you add to the list will be blocked from any account that is subject the policy. [Click on the image to enlarge]