SCP(Service Control Policies) together with IAM Conditions that Restrict Access to S3 | Overview.

A deep dive into SCPs (Service Control Policies) together with IAM Conditions to restrict access to Amazon S3.

View:

•        Concept,
•        Mechanics,
•        Common Condition Keys,
•        Architecture Flow,
•        visual diagram guidance for architecture illustration.

 1. Concept: SCP vs. IAM Policy in S3 Access Control

Layer	What It Does		Scope	Evaluation
SCP (Service Control Policy)		Sets guardrails at organization/account level in AWS Organizations. SCPs define what services and actions are even allowed or denied across accounts.	Applied to AWS Accounts or OUs (Organizational Units).	Evaluated before IAM policies. If SCP denies → request stops, no IAM policy can override.
IAM Policy		Defines permissions for users, roles, groups, within the account.	Applied at identity level.	Evaluated after SCP (if SCP allows). IAM policy decides if final Allow/ Deny.

 Analogy:
Think of SCPs as a global “ceiling”, and IAM policies as local “ceilings”(“lights” inside rooms.)
NB:

If SCP turns off the power to a service (e.g., S3:PutObject), no IAM policy can turn it back on.

 2. Mechanics: How SCPs + IAM Conditions Evaluate for S3

When an AWS principal tries to access S3 (eg, PutObject):

1.     Request → Organization Level

o   SCPs attached to the account’s OU or root are checked.

o   If any explicit Deny in SCP → access immediately denied.

o   If not Denied, evaluation continues.

2.     Request → IAM Policy Level

o   Identity-based policies and resource-based policies (bucket policies, ACLs) are evaluated.

o   IAM conditions (like aws:SourceIp, s3:prefix, aws:PrincipalOrgID, etc.) determine if the context matches the rule.

3.     Result

o   AWS evaluates all applicable policies → if no Deny and at least one Allow → access is granted.

 3. Common SCP + IAM Conditions for Restricting S3 Access

# Example 1: Deny all S3 access except through approved regions

{

  "Version": "2012-10-17",

  "Statement": [{

    "Sid": "twtechDenyS3OutsideUS",

    "Effect": "Deny",

    "Action": "s3:*",

    "Resource": "*",

    "Condition": {

      "StringNotEquals": {

        "aws:RequestedRegion": ["us-east-2", "us-west-1"]

      }

    }

  }]

}

# Example 2: Deny S3 access unless MFA is used

{

  "Version": "2012-10-17",

  "Statement": [{

    "Sid": "twtechRequireMFAForS3",

    "Effect": "Deny",

    "Action": "s3:*",

    "Resource": "arn:aws:s3:::twtech-s3bucket/*",

    "Condition": {

      "BoolIfExists": { "aws:MultiFactorAuthPresent": "false" }

    }

  }]

}

 IAM Policy Conditions Examples (Applied only After SCP Allows)

# Restrict access to specific buckets using s3:ResourceTag

{

  "Version": "2012-10-17",

  "Statement": [{

    "Effect": "Allow",

    "Action": "s3:*",

    "Resource": "arn:aws:s3:::twtech-s3bucket/*",

    "Condition": {

      "StringEquals": { "s3:ResourceTag/Environment": "Prod" }

    }

  }]

}

# Restrict S3 API calls to corporate IP range

{

  "Version": "2012-10-17",

  "Statement": [{

    "Effect": "Deny",

    "Action": "s3:*",

    "Resource": "*",

    "Condition": {

      "NotIpAddress": { "aws:SourceIp": ["203.0.113.0/24"] }

    }

  }]

}

# Allow only when request is made via AWS PrivateLink or specific VPC endpoint

{

  "Version": "2012-10-17",

  "Statement": [{

    "Effect": "Allow",

    "Action": "s3:*",

    "Resource": "*",

    "Condition": {

      "StringEquals": { "aws:SourceVpce": "twtechvpce-1234567xxxxxyyyyy" }

    }

  }]

}

 4. IAM & SCP Condition Keys for S3 (Key Reference)

Condition Key	Used In	Description
aws:SourceIp	IAM / SCP		Restrict based on IP address.
aws:RequestedRegion	SCP		Restrict S3 API calls by AWS region.
aws:PrincipalOrgID	IAM / SCP		Restrict access to principals within specific Org ID.
aws:MultiFactorAuthPresent	IAM / SCP		Enforce MFA authentication for access.
s3:prefix	IAM		Restrict S3 ListObjectsV2 operations to specific prefixes.
s3:ExistingObjectTag/twtechkey	IAM		Control access based on existing object tags.
s3:ResourceTag/twtechkey	IAM		Restrict access to S3 resources with matching tags.

 5. Architecture Flow (Evaluation-Visualization.txt)

 [User/Role/Service] 

       │

      ▼

[API Request to S3 → IAM Evaluation Context]

       │

    ├─> [SCP Check at Organization/Account Level]

    │       └── If Deny → ❌ Access Denied

       │

    ├─> [IAM Policy Evaluation]

    │      ├── Identity-based (user/role)

       │         ├── Resource-based (bucket)

       │         └── Conditions (IP, Region, MFA, Tags)

       │

    ├─> [S3 Resource Evaluation (Bucket Policy)]

       │

      ▼

✅ Access Granted (if no Deny and at least one Allow)

Architecture Flow (Evaluation-Visualization.jpg)