Skip to content
Gallery
4. AWS Organizations and Control Tower
AWS Organizations
AWS Control Tower
More
Share
Explore
Managing policies in AWS Organizations

icon picker
Service Control Policies

Service Control Policies (SCPs)

Service control policies (SCPs) are a type of organization policy that you can use to manage permissions in your organization.
SCPs offer central control over the maximum available permissions for all accounts in your organization. SCPs help you to ensure your accounts stay within your organization’s access control guidelines.
SCPs are available only in an organization that has all features enabled.
SCPs aren’t available if your organization has enabled only the consolidated billing features.
SCPs alone are not sufficient to granting permissions to the accounts in your organization.
No permissions are granted by an SCP. An SCP defines a guardrail, or sets limits, on the actions that the account’s administrator can delegate to the IAM users and roles in the affected accounts.
The administrator must still attach identity-based or resource-based policies to IAM users or roles, or to the resources in your accounts to grant permissions.
The effective permissions are the logical intersection between what is allowed by the SCP and what is allowed by the IAM and resource-based policies.
image.png
SCP Inheritance:
SCPs affect only IAM users and roles that are managed by accounts that are part of the organization. SCPs don’t affect resource-based policies directly. They also don’t affect users or roles from accounts outside the organization.
An SCP restricts permissions for IAM users and roles in member accounts, including the member account’s root user.
Any account has only those permissions permitted by every parent above it.
If a permission is blocked at any level above the account, either implicitly (by not being included in an Allow policy statement) or explicitly (by being included in a Deny policy statement), a user or role in the affected account can’t use that permission, even if the account administrator attaches the AdministratorAccess IAM policy with */* permissions to the user.
SCPs affect only member accounts in the organization. They have no effect on users or roles in the management account.
Users and roles must still be granted permissions with appropriate IAM permission policies. A user without any IAM permission policies has no access, even if the applicable SCPs allow all services and all actions.
If a user or role has an IAM permission policy that grants access to an action that is also allowed by the applicable SCPs, the user or role can perform that action.
If a user or role has an IAM permission policy that grants access to an action that is either not allowed or explicitly denied by the applicable SCPs, the user or role can’t perform that action.
SCPs affect all users and roles in attached accounts, including the root user. The only exceptions are those described in
Tasks and entities not restricted by SCPs
.
SCPs do not affect any service-linked role. Service-linked roles enable other AWS services to integrate with AWS Organizations and can’t be restricted by SCPs.
When you disable the SCP policy type in a root, all SCPs are automatically detached from all AWS Organizations entities in that root. AWS Organizations entities include organizational units, organizations, and accounts.
If you reenable SCPs in a root, that root reverts to only the default FullAWSAccess policy automatically attached to all entities in the root.
Any attachments of SCPs to AWS Organizations entities from before SCPs were disabled are lost and aren’t automatically recoverable, although you can manually reattach them.
If both a permissions boundary (an advanced IAM feature) and an SCP are present, then the boundary, the SCP, and the identity-based policy must all allow the action.

You can’t use SCPs to restrict the following tasks:
Any action performed by the management account.
Any action performed using permissions that are attached to a service-linked role.
Register for the Enterprise support plan as the root user.
Change the AWS support level as the root user.
Provide trusted signer functionality for CloudFront private content.
Configure reverse DNS for an Amazon Lightsail email server as the root user.
Tasks on some AWS-related services:
Alexa Top Sites.
Alexa Web Information Service.
Amazon Mechanical Turk.
Amazon Product Marketing API.
Want to print your doc?
This is not the way.
Try clicking the ⋯ next to your doc name or using a keyboard shortcut (
CtrlP
) instead.