AWS SCPs Infographic
AWS Governance Framework

Service Control Policies (SCPs)

Establish a central security perimeter for your entire AWS Organization by defining maximum available permissions.

The Ingredients

AWS Organizations

The root container used to manage accounts centrally.

OU Structure

Organizational Units for grouping accounts by logic.

JSON Policies

The syntax used to define allowed or denied actions.

FullAWSAccess

The default managed SCP that allows all services.

The Governance Flow

1

Define Guardrails

Write a policy that denies specific regions or high-cost services.

2

Attach at Scale

Apply the SCP to the Root, an OU, or a specific Account.

3

Intersection Logic

Final permissions are the intersection of SCPs and IAM Policies.

ROOT PROD OU Acc A Acc B Acc C SCP: Defines Max Permissions
Explicit Deny

An explicit deny in an SCP overrides any allow in an IAM policy. Safety first.

Size Limits

Each SCP can be up to 5,120 bytes. Use whitespace efficiently!

Root Exception

SCPs do not affect the Management Account itself, only member accounts.

AWS Educational Series • Multi-Account Governance 101

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top