Introducing resource control policies (RCPs) to centrally restrict access to AWS resources

AWS is excited to announce resource control policies (RCPs) in AWS Organizations to help you centrally establish a [data perimeter](https://aws.amazon.com/identity/data-perimeters-on-aws/) across your AWS environment. With RCPs, you can centrally restrict external access to your AWS resources at scale. At launch, RCPs apply to resources of the following AWS services: Amazon Simple Storage Service (Amazon S3), AWS Security Token Service, AWS Key Management Service, Amazon Simple Queue Service, and AWS Secrets Manager. RCPs are a type of organization policy that can be used to centrally create and enforce preventative controls on AWS resources in your organization. Using RCPs, you can centrally set the maximum available permissions to your AWS resources as you scale your workloads on AWS. For example, an RCP can help enforce the requirement that “no principal outside my organization can access Amazon S3 buckets in my organization,” regardless of the permissions granted through individual bucket policies. RCPs complement service control policies (SCPs), an existing type of organization policy. While SCPs offer central control over the maximum permissions for IAM roles and users in your organization, RCPs offer central control over the maximum permissions on AWS resources in your organization. Customers that use AWS IAM Access Analyzer to identify external access can review the impact of RCPs on their resource permissions. For an updated list of AWS services that support RCPs, refer to the [list of services supporting RCPs](https://docs.aws.amazon.com/organizations/latest/userguide/orgs%5Fmanage%5Fpolicies%5Frcps.html#rcp-supported-services). RCPs are available in all AWS commercial Regions. To learn more, visit the [RCPs documentation](https://docs.aws.amazon.com/organizations/latest/userguide/orgs%5Fmanage%5Fpolicies%5Frcps.html).