# Service Control Policies
Takomo supports managing of service control policies.
Service control policies are supported only when all features is enabled in the organization.
Service control policies are configured in
serviceControlPolicies object where keys are policy names and values are objects containing configuration for the corresponding policies.
The policy object has following keys:
description- Mandatory description for the policy
awsManaged- Boolean value defining if the policy is managed by AWS
# Example: Configure a service control policy
Here's how to configure a service control policy named
serviceControlPolicies: my-policy: description: My strict policy
# Service Control Policy Files
For each policy, that is not AWS managed, there must be a corresponding policy .json file with the same name in the
# AWS Managed Service Control Policies
There is a default service control policy that is managed by AWS and named as
FullAWSAccess. You can't provide your own policy with this name. You can still use this policy with your organizational units and accounts by defining it with
# Example: Configure the AWS managed default policy
Here's how to configure the default AWS managed service control policy.
serviceControlPolicies: FullAWSAccess: description: AWS managed default policy awsManaged: true
# Disabling Service Control Policies
Service control policies are enabled on the organization if the local configuration has at least one policy defined. It is also possible to disable service control policies by setting value
serviceControlPolicies like so:
# Deploying Service Control Policies
Takomo uses service control policy names to identify them. When the organization is launched, Takomo compares policies found from the local configuration to the ones existing in the organization.
- The policy is removed from the organization if it is found from the organization but not from the local configuration
- The policy is added to the organization if it is found from the local configuration but not from the organization
- The policy in the organization is updated if its description or content differs from the ones given in the local configuration