# Resource control policies (RCPs)
**Note**
**Service control policies (SCPs) and resource control policies (RCPs)**
Use an SCP when you need to limit permissions of IAM principals within your organization's member accounts.
Use an RCP when you need to restrict IAM principals that are external to your organization accounts making requests to access resources within your organization’s member accounts.
For more information, see [Understanding SCPs and RCPs](orgs_manage_policies_authorization_policies.md).
Resource control policies (RCPs) are a type of organization policy that you can use to manage permissions in your organization. RCPs offer central control over the maximum available permissions for resources in your organization. RCPs help you to ensure resources in your accounts stay within your organization’s access control guidelines. RCPs are available only in an organization that has [all features enabled](orgs_manage_org_support-all-features.md). RCPs aren't available if your organization has enabled only the consolidated billing features. For instructions on enabling RCPs, see [Enabling a policy type](enable-policy-type.md).
RCPs alone are not sufficient in granting permissions to the resources in your organization. No permissions are granted by an RCP. An RCP defines a permissions guardrail, or sets limits, on the actions that identities can take on resources in your organizations. The administrator must still attach identity-based policies to IAM users or roles, or resource-based policies to resources in your accounts to actually grant permissions. For more information, see [Identity-based policies and resource-based policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_identity-vs-resource.html) in the *IAM User Guide*.
The [effective permissions](#rcp-effects-on-permissions) are the logical intersection between what is allowed by the RCPs and [service control policies (SCPs)](orgs_manage_policies_scps.md) and what is allowed by the identity-based and resource-based policies.
**RCPs don't affect resources in the management account**
RCPs don't affect resources in the management account. They only affect resources in the member accounts within your organization. This also means that RCPs apply to member accounts that are designated as delegated administrators.
****Topics on this page****
+ [List of AWS services that support RCPs](#rcp-supported-services)
+ [Testing effects of RCPs](#rcp-warning-testing-effect)
+ [Maximum size of RCPs](#rcp-size-limit)
+ [Attaching RCPs to different levels in the organization](#rcp-about-inheritance)
+ [RCP effects on permissions](#rcp-effects-on-permissions)
+ [Resources and entities not restricted by RCPs](#actions-not-restricted-by-rcps)
+ [RCP evaluation](orgs_manage_policies_rcps_evaluation.md)
+ [RCP syntax](orgs_manage_policies_rcps_syntax.md)
+ [Resource control policy examples](orgs_manage_policies_rcps_examples.md)
## List of AWS services that support RCPs
RCPs apply to actions for the following AWS services:
+ [Amazon S3](https://docs.aws.amazon.com/s3)
+ [AWS Security Token Service](https://docs.aws.amazon.com/iam)
+ [AWS Key Management Service](https://docs.aws.amazon.com/kms)
+ [Amazon SQS](https://docs.aws.amazon.com/sqs)
+ [AWS Secrets Manager](https://docs.aws.amazon.com/secretsmanager)
+ [Amazon Cognito](https://docs.aws.amazon.com/cognito)
+ [Amazon CloudWatch Logs](https://docs.aws.amazon.com/cloudwatch)
+ [Amazon DynamoDB](https://docs.aws.amazon.com/dynamodb)
+ [Amazon Elastic Container Registry](https://docs.aws.amazon.com/ecr)
+ [Amazon OpenSearch Serverless](https://docs.aws.amazon.com/opensearch-service)
## Testing effects of RCPs
AWS strongly recommends that you don't attach RCPs to the root of your organization without thoroughly testing the impact that the policy has on resources in your accounts. You can begin by attaching RCPs to individual test accounts, moving them up to OUs lower in the hierarchy, and then working your way up through the organization structure as needed. One way to determine impact is to review AWS CloudTrail logs for Access Denied errors.
## Maximum size of RCPs
All characters in your RCP count against its [maximum size](orgs_reference_limits.md#min-max-values). The examples in this guide show the RCPs formatted with extra white space to improve their readability. However, to save space if your policy size approaches the maximum size, you can delete any white space, such as space characters and line breaks that are outside quotation marks.
**Tip**
Use the visual editor to build your RCP. It automatically removes extra white space.
## Attaching RCPs to different levels in the organization
You can attach RCPs directly to individual accounts, OUs, or the organization root. For a detailed explanation of how RCPs work, see [RCP evaluation](orgs_manage_policies_rcps_evaluation.md).
## RCP effects on permissions
RCPs are a type of AWS Identity and Access Management (IAM) policy. They are most closely related to [resource-based policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_identity-vs-resource.html). However, an RCP never grants permissions. Instead, RCPs are access controls that specify the maximum available permissions for resources in your organization. For more information, see [Policy evaluation logic](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html) in the *IAM User Guide*.
+ RCPs apply to resources for a subset of AWS services. For more information, see [List of AWS services that support RCPs](#rcp-supported-services).
+ RCPs ***affect only resources*** that are managed by accounts that are part of the organization which has attached the RCPs. They don't affect resources from accounts outside the organization. For example, consider an Amazon S3 bucket that's owned by Account A in an organization. The bucket policy (a resource-based policy) grants access to users from Account B outside the organization. Account A has an RCP attached. That RCP applies to the S3 bucket in Account A even when accessed by users from Account B. However, that RCP does not apply to resources in Account B when accessed by users in Account A.
+ An RCP restricts permissions for resources in member accounts. Any resource in an account has only those permissions permitted by ***every*** parent above it. If a permission is blocked at any level above the account, a resource in the affected account does not have that permission, even if the resource owner attaches a resource-based policy that allows full access to any user.
+ RCPs apply to the resources that are authorized as part of an operation request. These resources can be found in the “Resource type” column of the Action table in the [Service Authorization Reference](https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html#actions_table). If a resource is specified in the "Resource type" column, then the RCPs of the calling principal account are applied. For example, `s3:GetObject` authorizes the object resource. Whenever a `GetObject` request is made, an applicable RCP will apply to determine whether the requesting principal can invoke the `GetObject` operation. An *applicable RCP* is an RCP that has been attached to an account, to an organizational unit (OU), or to the root of the organization that owns the resource being accessed.
+ RCPs affect only resources in ***member*** accounts in the organization. They have no effect on resources in the management account. This also means that RCPs apply to member accounts that are designated as delegated administrators. For more information, see [Best practices for the management account](orgs_best-practices_mgmt-acct.md).
+ When a principal makes a request to access a resource within an account that has an attached RCP (a resource with an applicable RCP), the RCP is included in the policy evaluation logic to determine whether the principal is allowed or denied access.
+ RCPs impact the effective permissions of principals trying to access resources in a member account with an applicable RCP, regardless of whether the principals belong to the same organizations or not. This includes root users. The exception is when principals are service-linked roles because RCPs do not apply to calls made by service-linked roles. Service-linked roles enable AWS services to perform necessary actions on your behalf and can't be restricted by RCPs.
+ Users and roles must still be granted permissions with appropriate IAM permission policies, including identity-based and resource-based policies. A user or role without any IAM permission policies has no access, even if an applicable RCP allows all services, all actions, and all resources.
## Resources and entities not restricted by RCPs
You ***can't*** use RCPs to restrict the following:
+ Any action on resources in the management account.
+ RCPs do not impact the effective permissions of any service-linked role. Service-linked roles are a unique type of IAM role that is linked directly to an AWS service and include all the permissions that the service requires to call other AWS services on your behalf. The permissions of service-linked roles can't be restricted by RCPs. RCPs also do not impact AWS services' ability to assume a service-linked role; that is, the service-linked role's trust policy is also not impacted by RCPs.
+ RCPs do not apply to [AWS managed keys for AWS Key Management Service](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk). AWS managed keys are created, managed, and used on your behalf by an AWS service. You cannot change or manage their permissions.
+ RCPs do not impact following permissions:
****
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_rcps.html)
# RCP evaluation
**Note**
The information in this section does ***not*** apply to management policy types, including backup policies, tag policies, chat applications policies, or AI services opt-out policies. For more information, see [Understanding management policy inheritance](orgs_manage_policies_inheritance_mgmt.md).
As you can attach multiple resource control policies (RCPs) at different levels in AWS Organizations, understanding how RCPs are evaluated can help you write RCPs that yield the right outcome.
## Strategy for using RCPs
The `RCPFullAWSAccess` policy is an AWS managed policy. It is automatically attached to the organization root, every OU, and every account in your organization, when you enable resource control policies (RCPs). You cannot detach this policy. This default RCP allows all principals and actions access to pass through RCP evaluation, meaning until you start creating and attaching RCPs, all your existing IAM permissions continue to operate as they did. This AWS managed policy does not grant access.
You can make use of `Deny` statements to block access to resources in your organization. For a permission to be **denied** for a resource in a specific account, **any RCP** from the root through each OU in the direct path to the account (including the target account itself) can deny that permission.
`Deny` statements are a powerful way to implement restrictions that should be true for a broader part of your organization. For example, you can attach a policy to help prevent identities external to your organization from accessing your resources root level, and that will be effective for all accounts in the organization. AWS strongly recommends that you don't attach RCPs to the root of your organization without thoroughly testing the impact that the policy has on resources in your accounts. For more information, see [Testing effects of RCPs](orgs_manage_policies_rcps.md#rcp-warning-testing-effect).
In Figure 1, there is an RCP attached to the Production OU that has an explicit `Deny` statement specified for a given service. As a result, both Account A and Account B will be denied access to the service as a deny policy attached to any level in the organization is evaluated for all the OUs and member accounts underneath it.
![\[Example organization structure with a Deny statement attached at Production OU and its impact on Account A and Account B\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/rcp_deny_1.png)
*Figure 1: Example organization structure with an `Deny` statement attached at Production OU and its impact on Account A and Account B*
# RCP syntax
Resource control policies (RCPs) use a similar syntax to that used by [resource-based policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_resource-based). For more information about IAM policies and their syntax, see [Overview of IAM Policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) in the *IAM User Guide*.
An RCP is structured according to the rules of [JSON](http://json.org). It uses the elements that are described in this topic.
**Note**
All characters in your RCP count against its [maximum size](orgs_reference_limits.md#min-max-values). The examples in this guide show the RCPs formatted with extra white space to improve their readability. However, to save space if your policy size approaches the maximum size, you can delete any white space, such as space characters and line breaks that are outside quotation marks.
For general information about RCPs, see [Resource control policies (RCPs)](orgs_manage_policies_rcps.md).
## Elements summary
The following table summarizes the policy elements that you can use in RCPs.
**Note**
**The effect of `Allow` is only supported for the `RCPFullAWSAccess` policy**
The effect of `Allow` is only supported for the `RCPFullAWSAccess` policy. This policy is automatically attached to the organization root, every OU, and every account in your organization, when you enable resource control policies (RCPs). You cannot detach this policy. This default RCP allows all principals and actions access to pass through RCP evaluation, meaning until you start creating and attaching RCPs, all your existing IAM permissions continue to operate as they did. This does not grant access.
| Element | Purpose |
| --- | --- |
| [Version](#rcp-syntax-version) | Specifies the language syntax rules to use for processing the policy. |
| [Statement](#rcp-syntax-statement) | Serves as the container for policy elements. You can have multiple statements in RCPs. |
| [Statement ID (Sid)](#rcp-syntax-sid) | (Optional) Provides a friendly name for the statement. |
| [Effect](#rcp-syntax-effect) | Defines whether the RCP statement denies access to the resources in an account. |
| [Principal](#rcp-syntax-principal) | Specifies the principal that is allowed or denied access to resources in an account. |
| [Action](#rcp-syntax-action) | Specifies AWS service and actions that the RCP allows or denies. |
| [Resource](#rcp-syntax-resource) | Specifies the AWS resources that the RCP applies to. |
| [NotResource](#rcp-syntax-resource) | Specifies the AWS resources that are exempt from the RCP. Used instead of the `Resource` element. |
| [Condition](#rcp-syntax-condition) | Specifies conditions for when the statement is in effect. |
**Topics**
+ [Elements summary](#rcp-elements-table)
+ [`Version` element](#rcp-syntax-version)
+ [`Statement` element](#rcp-syntax-statement)
+ [Statement ID (`Sid`) element](#rcp-syntax-sid)
+ [`Effect` element](#rcp-syntax-effect)
+ [`Principal` element](#rcp-syntax-principal)
+ [`Action` element](#rcp-syntax-action)
+ [`Resource` and `NotResource` elements](#rcp-syntax-resource)
+ [`Condition` element](#rcp-syntax-condition)
+ [Unsupported elements](#rcp-syntax-unsupported)
## `Version` element
Every RCP must include a `Version` element with the value **"2012-10-17"**. This is the same version value as the most recent version of IAM permission policies.
For more information, see [IAM JSON Policy Elements: Version](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_version.html) in the *IAM User Guide*.
## `Statement` element
An RCP consists of one or more `Statement` elements. You can have only one `Statement` keyword in a policy, but the value can be a JSON array of statements (surrounded by [ ] characters).
The following example shows a single statement that consists of single `Effect`, `Principal`, `Action`, and `Resource` elements.
```
{
"Statement": {
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutBucketPublicAccessBlock",
"Resource": "*"
}
}
```
For more information, see [IAM JSON Policy Elements: Statement](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_statement.html) in the *IAM User Guide*.
## Statement ID (`Sid`) element
The `Sid` is an optional identifier that you provide for the policy statement. You can assign a `Sid` value to each statement in a statement array. The following example RCP shows a sample `Sid` statement.
```
{
"Statement": {
"Sid": "DenyBPAConfigurations",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutBucketPublicAccessBlock",
"Resource": "*"
}
}
```
For more information, see [IAM JSON Policy Elements: Sid](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_sid.html) in the *IAM User Guide*.
## `Effect` element
Each statement must contain one `Effect` element. Using the value of `Deny` in the `Effect` element, you can restrict access to specific resources or define conditions for when RCPs are in effect. For RCPs that you create, the value must be `Deny`. For more information, see [RCP evaluation](orgs_manage_policies_rcps_evaluation.md) and [IAM JSON Policy Elements: Effect](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_effect.html) in the *IAM User Guide*.
## `Principal` element
Each statement must contain the `Principal` element. You can only specify “`*`” in the `Principal` element of an RCP. Use the `Conditions` element to restrict specific principals.
For more information, see [IAM JSON Policy Elements: Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html) in the *IAM User Guide*.
## `Action` element
Each statement must contain the `Action` element.
The value for the `Action` element is a string or list (a JSON array) of strings that identify AWS services and actions that are allowed or denied by the statement.
Each string consists of the abbreviation for the service (such as "s3", "sqs", or "sts"), in all lowercase, followed by a colon and then an action from that service. Generally, they are all entered with each word starting with an uppercase letter and the rest lowercase. For example: `"s3:ListAllMyBuckets"`.
You also can use wildcard characters such as asterisk (\$1) or question mark (?) in an RCP:
+ Use an asterisk (\$1) as a wildcard to match multiple actions that share part of a name. The value `"s3:*"` means all actions in the Amazon S3 service. The value `"sts:Get*"` matches only the AWS STS actions that begin with "Get".
+ Use the question mark (?) wildcard to match a single character.
**Note**
**Wildcards (\$1) and question marks (?) can be used anywhere in the action name**
You cannot use "\$1" in the Action element of a customer managed RCP and have to specify the abbreviation for the service (such as "s3", "sqs", or "sts") you want to restrict access to.
For a list of the services that support RCPs, see [List of AWS services that support RCPs](orgs_manage_policies_rcps.md#rcp-supported-services). For a list of the actions an AWS service supports, see [Actions, Resources, and Condition Keys for AWS Services](https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html.html) in the *Service Authorization Reference*.
For more information, see [IAM JSON Policy Elements: Action](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_action.html) in the *IAM User Guide*.
## `Resource` and `NotResource` elements
Each statement must contain the `Resource` or `NotResource` element.
You can use wildcard characters such as asterisk (\$1) or question mark (?) in the resource element:
+ Use an asterisk (\$1) as a wildcard to match multiple resources that share part of a name.
+ Use the question mark (?) wildcard to match a single character.
For more information, see [IAM JSON Policy Elements: Resource](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_resource.html) and see [IAM JSON Policy Elements: NotResource](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notresource.html) in the *IAM User Guide*.
## `Condition` element
You can specify a `Condition` element in deny statements in an RCP.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:SecureTransport": "false"
}
}
}
]
}
```
------
This RCP denies access to Amazon S3 operations and resources unless the request occurs over secure transport (the request was sent over TLS).
For more information, see [IAM JSON Policy Elements: Condition](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html) in the *IAM User Guide*.
## Unsupported elements
The following elements are not supported in RCPs:
+ `NotPrincipal`
+ `NotAction`
# Resource control policy examples
The example [resource control policies (RCPs)](orgs_manage_policies_rcps.md) displayed in this topic are for information purposes only.
**Before using these examples**
Before you use these example RCPs in your organization, consider the following:
[Resource control policies (RCPs)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_rcps.html) are meant to be used as coarse-grained preventative controls, and they don't grant access. You must still attach [identity-based or resource-based policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_identity-vs-resource.html) to IAM principals or resources in your accounts to actually grant permissions. The effective permissions are the logical intersection between the SCP/RCP and an identity policy or the SCP/RCP and a resource policy. You can get more details about RCP effects on permissions [here](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_rcps.html#rcp-effects-on-permissions).
The resource control policies in this repository are shown as examples. You should not attach RCPs without thoroughly testing the impact that the policy has on resources in your accounts. Once you have a policy ready that you would like to implement, we recommend testing in a separate organization or OU that can represent your production environment. Once tested, you should deploy changes to test OUs and then progressively deploy the changes to a broader set of OUs over time.
The [RCPFullAWSAccess](https://console.aws.amazon.com/organizations/v2/home/policies/resource-control-policy/p-RCPFullAWSAccess) policy is automatically attached to the organization root, every OU, and every account in your organization, when you enable resource control policies (RCPs). This default RCP allows all principals and actions access to pass through RCP evaluation. You can make use of Deny statements to restrict access to resources in your organization. You still also need to grant appropriate permissions to your principals by using identity-based or resource-based policies.
A [Resource control policy (RCP)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_rcps.html), when attached to an organization root, organization unit, or an account offers a central control over the maximum available permissions for resources in your organization, organization unit or an account. As an RCP can be applied at multiple levels in an organization, understanding how [RCPs are evaluated](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_rcps_evaluation.html) can help you write RCPs that yield the expected outcome.
The example policies in this section demonstrate the implementation and use of RCPs. They're ***not*** intended to be interpreted as official AWS recommendations or best practices to be implemented exactly as shown. It is your responsibility to carefully test any policies for its suitability to solve the business requirements of your environment. Deny-based resource control policies can unintentionally limit or block your use of AWS services unless you add the necessary exceptions to the policy.
**Tip**
Before implementing RCPs, in addition to reviewing [AWS CloudTrail logs](https://aws.amazon.com/cloudtrail/), assessing [IAM Access Analyzer external access findings](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-findings-view.html#access-analyzer-findings-view-external) can help understand which resources are currently public or shared externally.
## GitHub repository
+ [Resource control policy examples](https://github.com/aws-samples/resource-control-policy-examples) - This GitHub repository contains example policies to get started or mature your usage of AWS RCPs