SCP

Service Control Policies

• Whitelist or blacklist IAM actions

• Applied at the OU or Account level

• Does not apply to the Master Account

• SCP is applied to all the Users and Roles of the Account, including Root user

• The SCP does not affect service-linked roles

• Service-linked roles enable other AWS services to integrate with AWS Organizations and can't be restricted by SCPs.

• SCP must have an explicit Allow (does not allow anything by default)

• Use cases:

• Restrict access to certain services (for example: can’t use EMR)

• Enforce PCI compliance by explicitly disabling services

Hierarchy

Blacklist and Whitelist strategies

https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_example-scps.html