# Service Control Policies

Takomo supports managing of service control policies.

NOTE

Service control policies are supported only when all features is enabled in the organization.

# Configuration

Service control policies are configured in serviceControlPolicies object where keys are policy names and values are objects containing configuration for the corresponding policies.

The policy object has following keys:

  • description - Mandatory description for the policy
  • awsManaged - Boolean value defining if the policy is managed by AWS

# Example: Configure a service control policy

Here's how to configure a service control policy named my-policy.

serviceControlPolicies:
  my-policy:
    description: My strict policy

# Service Control Policy Files

For each policy, that is not AWS managed, there must be a corresponding policy .json file with the same name in the organization/service-control-policies directory.

# AWS Managed Service Control Policies

There is a default service control policy that is managed by AWS and named as FullAWSAccess. You can't provide your own policy with this name. You can still use this policy with your organizational units and accounts by defining it with awsManaged: true.

# Example: Configure the AWS managed default policy

Here's how to configure the default AWS managed service control policy.

serviceControlPolicies:
  FullAWSAccess:
    description: AWS managed default policy
    awsManaged: true

# Disabling Service Control Policies

Service control policies are enabled on the organization if the local configuration has at least one policy defined. It is also possible to disable service control policies by setting value false to serviceControlPolicies like so:

serviceControlPolicies: false

# Deploying Service Control Policies

Takomo uses service control policy names to identify them. When the organization is launched, Takomo compares policies found from the local configuration to the ones existing in the organization.

  • The policy is removed from the organization if it is found from the organization but not from the local configuration
  • The policy is added to the organization if it is found from the local configuration but not from the organization
  • The policy in the organization is updated if its description or content differs from the ones given in the local configuration

# See also

Last Updated: 5/4/2020, 3:54:44 PM