AWS Glossary
AWS Organizations Service Control Policies
Organization-wide IAM policies that define permission boundaries for AWS accounts and organizational units.
AI & assistant-friendly summary
This section provides structured content for AI assistants and search engines. You can cite or summarize it when referencing this page.
Summary
Organization-wide IAM policies that define permission boundaries for AWS accounts and organizational units.
Key Facts
- • Organization-wide IAM policies that define permission boundaries for AWS accounts and organizational units
- • Definition Service Control Policies (SCPs) are organization-level permission **guardrails** attached to the root, organizational units (OUs), or individual accounts in AWS Organizations
- • SCPs do not grant permissions — they define the maximum actions accounts in that scope can ever perform, even if an IAM policy allows them
- • Effective permission is the intersection of IAM policies and all inherited SCPs
- • SCPs use the same JSON policy grammar as IAM but support only **Deny** effects (and limited Allow patterns for exceptions)
Entity Definitions
- RDS
- RDS is an AWS service relevant to aws organizations service control policies.
- IAM
- IAM is an AWS service relevant to aws organizations service control policies.
- GuardDuty
- GuardDuty is an AWS service relevant to aws organizations service control policies.
- cost optimization
- cost optimization is a cloud computing concept relevant to aws organizations service control policies.
- compliance
- compliance is a cloud computing concept relevant to aws organizations service control policies.
Related Content
- AWS CLOUD SECURITY — Related service
- CLOUD COMPLIANCE SERVICES — Related service
Definition
Service Control Policies (SCPs) are organization-level permission guardrails attached to the root, organizational units (OUs), or individual accounts in AWS Organizations. SCPs do not grant permissions — they define the maximum actions accounts in that scope can ever perform, even if an IAM policy allows them. Effective permission is the intersection of IAM policies and all inherited SCPs. SCPs use the same JSON policy grammar as IAM but support only Deny effects (and limited Allow patterns for exceptions). They are the primary preventive control in multi-account landing zones.
When to use it
- Prevent disabling audit/logging — deny
cloudtrail:StopLogging,config:StopConfigurationRecorder, or deletion of log groups. - Region allow-lists — restrict prod workloads to approved regions for data residency.
- Block public exposure patterns — deny creation of unencrypted resources or public RDS instances where policy supports it.
- Protect security tooling — deny removal of GuardDuty, Security Hub, or centralized firewall admin roles.
- Sandbox guardrails — deny expensive instance families or root access key creation in non-prod OUs.
When not to use it
- Granting access to users — SCPs are not a replacement for IAM; you still need roles, permission sets, and resource policies.
- Application-level authorization — SCPs affect AWS API calls, not in-app RBAC.
- Overly broad Deny on day one — locking down prod before IAM and OU structure are stable breaks deployments and erodes trust with app teams.
Tips
- Design OU hierarchy first, then attach SCPs at the OU level — accounts inherit parent SCPs; child OUs add stricter layers.
- Use Allow-list SCP patterns for region control (deny all except listed regions) rather than ad-hoc per-service denies.
- Maintain a break-glass account outside restrictive SCPs for emergencies — document and monitor it heavily.
- Test SCP changes in a non-prod OU; SCP denies surface as opaque
AccessDeniederrors in application logs. - Log and alert on SCP denials via CloudTrail — spikes often reveal a misconfigured deployment pipeline.
Gotchas
Serious
- SCP Deny blocks IAM Allow — teams spend hours debugging IAM when the SCP on the OU is the actual blocker.
- Forgetting the management account — SCPs do not restrict the management account itself the same way; protect it separately.
- Deny without exception for break-glass roles — you can lock out your own security team during an incident.
Regular
- Confusing SCPs with permission boundaries — permission boundaries cap a single role/user; SCPs cap entire accounts.
- Duplicate conflicting SCPs — multiple attached SCPs combine; unintended Deny overlap is hard to trace without policy simulation.
- Using SCPs for cost optimization alone — instance-type denies help, but FinOps still needs budgets and tagging enforcement.
Official references
- Service control policies (SCPs)
- SCP effects on permissions
- AWS Organizations
- Testing SCPs with IAM policy simulator
Related FactualMinds content
Related Services
AWS Security Consulting
AWS security consulting from an AWS Select Tier Partner. 2-week assessment, 4–6 week remediation, zero disruption. IAM hardening, public exposure, compliance gaps, and continuous monitoring.
Cloud Compliance Services — HIPAA, SOC 2, PCI DSS on AWS
Cloud compliance services — HIPAA, SOC 2, PCI DSS, ISO 27001, GDPR. Expert consulting from FactualMinds.
Need help with this topic?
Our AWS-certified team implements, audits, and optimizes these services in production — from Bedrock RAG pipelines to multi-account landing zones.