Introducing Resource Control Policies In AWS Organizations
AWS Organizations are introducing RCPs, a new kind of authorization policy, One kind of organizational policy that you may use to govern access within your company is RCPs
Resource control policies are not enough on their own to provide your organization’s resources permissions. An RCP does not issue permissions
Attaching resource control policies to individual test accounts is a good place to start. You may then move them up to OUs lower in the hierarchy
Resources from accounts outside the company are unaffected. Take, for instance, an Amazon S3 bucket that belongs to Account A within a company
RCPs of the caller main account are used if the “Resource type” field contains no resources. For instance, the object resource is authorized by s3:GetObject
Only the resources in the organization’s member accounts are impacted by RCPs. The management account’s resources are unaffected by them
Additionally, resource control policies have no effect on AWS services’ capacity to take on a service-linked role