Blog Release News

New in Release 2.23: AWS SCPs, Permissions Boundaries, and More!

5 min read

Shields and shapes background pattern

Last updated on November 2nd, 2021 at 6:14pm

We just released version 2.23 of our cloud governance software, and it's hard to fit all of the new features into a blog post! This month we focused on more granular and easier permissions control, better visibility into your compliance status, new savings opportunities, and more.

Here's what you'll find in release 2.23 of

For AWS users: SCPs and permissions boundaries

Our two newest additions for AWS are service control policies (SCPs) and permissions boundaries. These AWS objects let you better control your users' effective permissions, but when you leverage the power of, you can enforce them in more places, even faster.

What is an AWS service control policy?

A service control policy is a method to allow or deny certain actions in an AWS account. They don't actually grant any permissions, they just allow you to set the limits for what permissions can be given by IAM policies. Service control policies allow you to apply enforcements at a higher level than IAM policies that will apply to all users (even the AWS account's root user). With IAM policies, you could potentially get around restrictions by creating a new user in the AWS console to which the IAM policy does not apply. An SCP would apply account-wide, so there is no risk of that.

Why can creating and applying SCPs in the AWS console be challenging?

  1. You need highly privileged access to the root of your organization (i.e., your master payer account) to enforce them.
  2. Applying them across more than one account can be a cumbersome manual process.
  3. You can't apply them across multiple master payer accounts. now helps you create, manage, and apply SCPs with ease. Using, you can apply the SCP to a cloud rule, then attach the cloud rule to a project or OU. The SCP will now apply to any accounts associated with the project/OU-- even across multiple master payer accounts. When you need to make a change, you can easily update the SCP in one place, and will modify it in all of your accounts via your cloud rules. Plus, you'll enjoy greater visibility into which SCPs are applied across your organization.

Together with our other new offering (AWS permissions boundaries), SCPs also create a way to gain more control over a user's effective permissions.

AWS permissions boundaries and control over effective permissions

We are excited to announce that now you can also create, edit, and apply AWS permissions boundaries. What is a permission boundary? A permissions boundary allows you to set the maximum permissions for your AWS accounts by controlling effective permissions. It's also an effective way to allow users to create their own roles by requiring them to attach an IAM policy to a user or role during creation to ensure they can't elevate their own access. This is ideal for those that need to create their own roles for EC2 or Lambda.

Policies in AWS often overlap. Your AWS IAM policies, AWS SCPs, and permissions boundaries all control an entity's (i.e., a user, user group, or role) effective permissions, or what they can actually do in the cloud. A permissions boundary helps define the limit on an entity's permission as the intersection of policy types. Denial of an action in either of these policies overrides allowance in the other.

AWS IAM policy vs permissions boundary

When you add SCPs to the mix too, you get even more control. If an identity-based policy, a permissions boundary, and an organization's SCP are all applied to the same entity, the request is only allowed if all 3 policy types allow it. Together these 3 policies create a rock-solid permission system, and you can add, apply, and change them more broadly and more easily with

For everyone: better compliance visibility, expanded savings opportunities, and more

The new compliance overview

We enhanced the compliance overview in this release, reorganizing things so that you see the most relevant compliance data at a glance. We also added a "findings by severity" section, so you know which findings you should prioritize. The end result is the ultimate control panel for tracking and addressing compliance issues.

visual of how to identify compliance findings by severity

A new page for compliance diagnostics

Speaking of compliance, you can now keep track of compliance scans that are pending or running. Our new compliance scan diagnostic list gives you even greater insight into your compliance by showing you what's currently running or pending, the scheduled date/time, when the scan started, and how long it's been running.

how to run cloud compliance scan diagnostics

Even more savings opportunities

Release 2.22's savings opportunities feature was a smash hit, so we made sure to add new opportunities in 2.23. You can now terminate additional resources with decommissioning opportunities, including Elastic IPs, EFS volumes, ElastiCache, AMQ, Workspaces, EBS snapshots, RDS DB snapshots, or Azure PostgreSQL databases. Plus, we now recommend Azure Virtual Machine rightsizing opportunities.

Check out the screenshot below to see just how many savings opportunity checks we offer. No wonder our customers are reporting 30% off their cloud bills with this feature!

decommissioning opportunities to help reduce cloud bill

New settings to customize your experience

We get that different organizations have different needs, so we strive to offer customizable settings within Our newest setting lets you disable or enable custom permission schemes on the General UI Settings page. This allows admins to turn off custom permission schemes if you don't need them, making things less confusing and clutter-free.

visual of how to disable or enable custom permission schemes

Plus, savings opportunities calculations now use a 3-month average instead of “current” monthly cost for comparisons. This gives a more accurate picture of your overall spending and how much you'll save.

We could go on!

We know this blog article is getting long, but we made even more changes and enhancements! Make sure you check out the Support Center if you’re an existing customer to see everything we packed into release 2.23!

If you're new to, you can request a demo to learn more about our comprehensive cloud management software.

Kion Newsletter

Start your cloud enablement journey.

Request a demo today,