Introducing Resource Control Policies In AWS Organizations

AWS Organizations are introducing RCPs, a new kind of authorization policy, One kind of organizational policy that you may use to govern access within your company is RCPs

Resource control policies are not enough on their own to provide your organization’s resources permissions. An RCP does not issue permissions

Attaching resource control policies to individual test accounts is a good place to start. You may then move them up to OUs lower in the hierarchy

Resources from accounts outside the company are unaffected. Take, for instance, an Amazon S3 bucket that belongs to Account A within a company

RCPs of the caller main account are used if the “Resource type” field contains no resources. For instance, the object resource is authorized by s3:GetObject

Only the resources in the organization’s member accounts are impacted by RCPs. The management account’s resources are unaffected by them

Additionally, resource control policies have no effect on AWS services’ capacity to take on a service-linked role