AWS Certified SysOps Administrator - Associate
Domain 4 Security and Compliance
Using Organizational Policies to Scope Organization Permissions
Welcome back, students. In this lesson, we explore the different types of organizational policies available in AWS Organizations. AWS Organizations not only leverages Service Control Policies (SCPs) to manage AWS accounts but also provides additional policies such as tag policies, backup policies, and the AI Services Opt-Out Policy.
AWS Organizations enables you to group multiple AWS accounts, which is particularly beneficial when a corporate headquarters oversees various subsidiaries. The headquarters can enforce specific rules—for instance, ensuring that S3 buckets are not publicly exposed or restricting public access to databases. SCPs serve as an effective tool to enforce such regulations across all accounts within your organization. For example, an SCP can restrict the launching of resources in unapproved regions, thus helping to maintain compliance with corporate policies.
Reminder
SCPs are applied from a management account at the root organizational unit down to child organizational units, ensuring consistent access controls across your AWS environment.
Tag Policies
If your company mandates consistent tagging across all resources (for example, by environment or application), AWS Organizations offers tag policies to enforce uniform key-value formatting standards. This ensures that every service within your AWS accounts adheres to a standardized tagging convention.
Backup Policies
Backup policies are critical in mandating regular backups to prevent data loss from key services such as EBS, EFS, and RDS. For example, a backup policy might require each department to perform daily backups to safeguard their data consistently.
AI Services Opt-Out Policy
The AI Services Opt-Out Policy allows organizations to control their data's usage for AWS AI/ML services. For instance, if the legal department decides to restrict the use of facial recognition or advanced AI tools on company data, the AI Services Opt-Out Policy can prevent AWS from using submitted data—such as text, audio, images, or videos—to train its AI models.
Overview of AWS Organizational Policies
To summarize, AWS Organizations offers four principal types of policies:
| Policy Type | Purpose | Example Use Case |
|---|---|---|
| Service Control Policies | Restrict access to specific AWS services/actions across accounts | Prevent launching resources in unauthorized regions |
| Tag Policies | Enforce a consistent tagging convention for resources | Ensure all resources are tagged by environment or application |
| Backup Policies | Mandate regular backups to prevent data loss | Require daily backups for IT data from EBS volumes, EFS, and RDS services |
| AI Services Opt-Out | Opt out of using AWS AI/ML services on company data for model training | Prevent AI services from processing customer data, such as disabling facial recognition tools |
This overview covers the various types of organizational policies that you may encounter on the AWS certification exam. For more detailed information on AWS Organizations and its policies, visit the AWS Documentation page.
Thank you for reading this lesson.
Watch Video
Watch video content