AWS Service Control Policies (SCPs)
In the AWS ecosystem, Service Control Policies (SCPs) are the ultimate “guardrails” for your organization. While IAM policies define what a specific user can do, SCPs define the maximum available permissions for an entire AWS account or Organizational Unit (OU).
The “Security Guard” Analogy
Imagine an office building. SCPs are like the building security guard who decides which floors are even accessible. If the guard says “Floor 5 is closed today,” it doesn’t matter if you have a keycard (IAM Policy) for a specific room on Floor 5—you aren’t getting in. SCPs set the boundaries; IAM policies grant access within those boundaries.
Core Concepts & Hierarchy
SCPs are a feature of AWS Organizations. They are JSON policies that follow the same syntax as IAM, but they do not grant permissions. Instead, they act as a filter that strips away permissions.
- Inheritance: SCPs applied at the Root level affect all OUs and accounts. SCPs applied at the OU level affect all accounts within that OU.
- The Filter Effect: A user can only perform an action if it is allowed by BOTH the SCP and the IAM policy.
- FullAWSAccess: By default, AWS attaches a policy named
FullAWSAccessto every node. If you remove this without adding another “Allow” policy, all access is blocked (Deny-by-default).
Comparison: SCP vs. IAM vs. Resource-Based Policies
| Feature | Service Control Policy (SCP) | IAM Policy | Resource-Based Policy |
|---|---|---|---|
| Scope | Organization, OU, or Account | User, Group, or Role | Specific Resource (e.g., S3 Bucket) |
| Grants Access? | No (Sets boundaries) | Yes | Yes |
| Affects Root User? | Yes (of member accounts) | No | Yes |
| Management Account? | Does NOT affect Management Acct | Affects Management Acct | Affects Management Acct |
Exam Tips and Gotchas
- The Management Account Immunity: SCPs do NOT apply to the Management (Master) account. This is a common exam distractor.
- Explicit Deny: Just like IAM, an
"Effect": "Deny"in an SCP always overrides any"Allow". - Root User Impact: Unlike IAM policies, SCPs do restrict the Root user of a member account.
- Size Limit: SCPs have a maximum size of 5,120 bytes. For the exam, if you need many complex restrictions, suggest multiple OUs or combining policies.
- Service-Linked Roles: SCPs do not affect Service-Linked Roles (used by AWS services to perform actions on your behalf).
Decision Matrix / If–Then Guide
- If you need to prevent any account in the “Dev” OU from launching
g5instances… Then apply an SCP with aDenyonec2:RunInstanceswith a condition onec2:InstanceType. - If you need to ensure no one (including Root) can delete S3 buckets in a member account… Then apply an SCP with
Denyons3:DeleteBucket. - If you need to restrict AWS usage to specific regions (e.g.,
us-east-1only)… Then apply an SCP that denies all actions ifaws:RequestedRegionis notus-east-1.
Topics covered :
Summary of key subtopics covered in this guide:
- AWS Organizations hierarchy and policy attachment points.
- The relationship between SCPs and IAM (the “Intersection” rule).
- Whitelisting (Allow) vs. Blacklisting (Deny) strategies.
- Management account vs. Member account behavior.
- Standard use cases: Region locking, instance type restriction, and preventing Root user actions.
Architecture: SCP Guardrails
Security Guardrails
Integrates with AWS Organizations. Use it to enforce compliance across 100s of accounts without modifying individual IAM roles.
Use Case: Prevent any account from disabling CloudTrail or deleting VPC Flow Logs.
Performance & Limits
SCPs have zero latency impact on API calls. However, they are limited to 5 policies per node and a 5KB size limit.
Tip: Use OU hierarchies to group similar accounts and keep policies concise.
Cost Optimization
SCPs are free of charge. Use them to prevent developers from spinning up expensive GPU instances (P4/P5) in sandbox accounts.
Strategy: Deny ec2:RunInstances for non-approved, high-cost instance types.
us-east-1 and us-west-2 are the only regions where resources can be created, ensuring data residency compliance across 50+ AWS accounts automatically.