This covers quite a few use cases: https://summitroute.com/blog/2020/03/25/aws_scp_best_practices/ Answer from mwarkentin on reddit.com
AWS
docs.aws.amazon.com › aws organizations › user guide › managing organization policies with aws organizations › authorization policies in aws organizations › service control policies (scps)
Service control policies (SCPs) - AWS Organizations
3 weeks ago - SCPs are similar to AWS Identity and Access Management permission policies and use almost the same syntax. However, an SCP never grants permissions. Instead, SCPs are access controls that specify the maximum available permissions for the IAM users and IAM roles in your organization.
AWS
aws.amazon.com › blogs › security › unlock-new-possibilities-aws-organizations-service-control-policy-now-supports-full-iam-language
Unlock new possibilities: AWS Organizations service control policy now supports full IAM language | Amazon Web Services
September 26, 2025 - Amazon Web Service (AWS) recently announced that AWS Organizations now offers full AWS Identity and Access Management (IAM) policy language support for service control policies (SCPs).
What are the SCP best practices?
This covers quite a few use cases: https://summitroute.com/blog/2020/03/25/aws_scp_best_practices/ More on reddit.com
11
13
September 7, 2020Will enabling SCP in AWS Organizations do anything to local users in member accounts?
SCPs will absolutely affect any identity in your org. They will NOT grant users in any account any permissions that they don’t already have. Docs: SCPs alone are not sufficient in granting permissions to the accounts in your organization. No permissions are granted by an SCP. An SCP defines a guardrail, or sets limits, on the actions that the account's administrator can delegate to the IAM users and roles in the affected accounts. https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html More on reddit.com
4
2
January 19, 2024How to find out which SCP is denying action in an AWS multi-account scenario?
SCPs are managed from the organizational master account and applied to member accounts or entire OUs so you need to start there for the “what scps are mapped to my accounts “ question More on reddit.com
12
5
March 20, 2025SCP requiring MFA explicitly?
That would be hard to do since there are many services and non human users which would not be able to perform MFA. Are you trying to blanket deploy it or restrict to IAM users somehow? More on reddit.com
5
1
May 9, 2020Videos
07:14
Create AWS Service Control Policy (AWS SCP) - YouTube
18:48
112. What is a Service Control Policy (SCP)? - YouTube
06:55
AWS Organizations Service Control Policies - YouTube
How to Enable AWS Service Control Policies (AWS SCP)
Introduction to AWS Service Control Policies SCPs
02:17
How To: Service Control Policies In AWS Organizations (2 Min) | ...
Sonrai
sonraisecurity.com › home › what are aws service control policies (scp)? a complete guide
What Are AWS Service Control Policies (SCP)? A Complete Guide
October 16, 2024 - A service control policy is a set of controls at the organizational unit that restricts the maximum level of permissions that users, roles, and even root users in AWS accounts can hold.
AWS
aws.amazon.com › blogs › mt › achieving-operational-excellence-with-design-considerations-for-aws-organizations-scps
Achieving operational excellence with design considerations for AWS Organizations SCPs | AWS Cloud Operations Blog
September 22, 2025 - Service control policies (SCPs) are a set of policies that allow organizations to manage permissions using AWS Organizations. SCPs help control access to AWS services and resources provisioned across multiple accounts created within an organization.
AWS
docs.aws.amazon.com › aws ram › user guide › security in aws ram › identity and access management for aws ram › example service control policies for aws organizations and aws ram
Example service control policies for AWS Organizations and AWS RAM - AWS Resource Access Manager
AWS RAM supports service control policies (SCPs). SCPs are policies that you attach to elements in an organization to manage permissions within that organization. An SCP applies to all AWS accounts under the element to which you attach the SCP . SCPs offer central control over the maximum available ...
Reddit
reddit.com › r/aws › what are the scp best practices?
r/aws on Reddit: What are the SCP best practices?
September 7, 2020 -
I lost the count of companies that I talked and have no idea what Service control polices can be used for. Once I explain I have the follow-up question that I don’t have answer yet. What should I set on my SCP?
This is a open question that can go from blocking unused regions to blocking IAM user creation, restrict to just a group to be allowed to delete resources/snapshot, etc.
Usually I share this site for them to start. https://asecure.cloud
What do you think it is a “must have” for any medium/small company that is worried about their security regarding SCP?
Medium
maximaavem.medium.com › visual-explanation-of-scp-inheritance-for-aws-organizations-a7d31a6ff23d
Visual Explanation of SCP Inheritance for AWS Organizations | by John Byrd | Medium
January 22, 2020 - In the following diagrams think of the circles as representing service permissions (ec2:*, s3:*, etc.), each square is a direct attachment of an SCP, and the arrows represent the direction of effective inheritance of the policies. ... As with all things IAM related in AWS, we start with an implicit deny.
Asecure
asecure.cloud › l › scp
AWS Service Control Policy (SCP) Repository
A repository of AWS Service Control Policy templates and examples that can be deployed using CloudFormation custom resource or AWS CLI scripts. ... A configuration package to deploy common Service Control Policies (SCPs) in the master account of an AWS Organization.
DEV Community
dev.to › aws-builders › scp-automation-for-aws-organization-569j
SCP Automation for AWS Organization - DEV Community
January 14, 2025 - AWS Service Control Policies (SCPs) are a powerful tool for managing permissions and enforcing governance across your AWS environment. By using SCPs effectively, you can ensure that your organization remains secure, compliant, and well-managed ...
Reddit
reddit.com › r/aws › will enabling scp in aws organizations do anything to local users in member accounts?
r/aws on Reddit: Will enabling SCP in AWS Organizations do anything to local users in member accounts?
January 19, 2024 -
I understand the concept of policies and how they are applied but what I can't find out is will simply enabling the service do anything by default?
I am looking at enabling SCP to allow users in management account access to new member accounts but there are already local users in the member accounts. Will enabling SCP affect these?
Answered
No it won't impact anything by enabling the service. SCPs need to be created to make any changes.
GitHub
github.com › aws-samples › service-control-policy-examples
GitHub - aws-samples/service-control-policy-examples: Example AWS Service control policies to get started or mature your usage of AWS SCPs.
A Service control policy (SCP), when attached to an AWS organization, organization unit or an account offers a central control over the maximum available permissions for all accounts in your organization, organization unit or an account.
Starred by 270 users
Forked by 49 users
AWS
docs.aws.amazon.com › amazon q developer in chat applications › administrator guide › understanding amazon q developer in chat applications permissions › securing your aws organization in amazon q developer in chat applications › service control policies (scps) for amazon q developer in chat applications
Service control policies (SCPs) for Amazon Q Developer in chat applications - Amazon Q Developer in chat applications
Service control policies (SCPs) are a type of organization policy that you can use to manage permissions in your organization. SCPs offer central control over the maximum available permissions for the IAM users and IAM roles in your organization. For more information,
AWS
aws.amazon.com › blogs › mt › codify-your-best-practices-using-service-control-policies-part-1
Codify your best practices using service control policies: Part 1 | AWS Cloud Operations Blog
February 28, 2022 - Separation of concern through ... multi-account AWS environment is AWS Organizations, which lets you centrally manage and govern multiple accounts. This central governance of multiple accounts is best done using service control policies (SCPs)....
Stormit
stormit.cloud › blog › aws-scp-service-control-policy
What is AWS SCP and How does it Work? | StormIT
July 14, 2022 - AWS Organizations provides centralised governance and management of multiple accounts. You can use Service Control Policies (SCPs) with AWS Organizations to establish controls that all IAM principals (users and roles) adhere to.
AWS
docs.aws.amazon.com › aws organizations › user guide › managing organization policies with aws organizations › authorization policies in aws organizations
Authorization policies in AWS Organizations - AWS Organizations
October 22, 2025 - SCPs are principal-centric controls. SCPs create a permissions guardrail, or set limits, on the maximum permissions available to principals in your member accounts. You can use an SCP when you want to centrally enforce consistent access controls on principals in your organization.
Reddit
reddit.com › r/aws › how to find out which scp is denying action in an aws multi-account scenario?
r/aws on Reddit: How to find out which SCP is denying action in an AWS multi-account scenario?
March 20, 2025 -
Hello everyone, sorry if the question is really dumb, but I can’t figure out how to find out which SCP is denying actions to a role in our AWS accounts.
I’m already using the IAM policy simulator and it tells me the action is blocked by a SCP, but
a) it doesn’t tell me which SCP is blocking b) which account is the one with the SCP linked to.
Also there seems to be no SCP associated with the account where the actions are denied.
Unfortunately the SCPs were already in place before my arrival and I can’t simply detach them all without cyber releasing the hounds.
Thanks for any input/suggestion.
UPDATE: Running the same commands from the CLI works without any issue, so we openend a support request to the AWS team.
UPDATE 2: Turns out we have a SCP blocking all requests on regions outside of the ones where we have our resources. Via CLI we couldn't see the issue because when running aws configure we already set the correct region. Support helped us notice that the application was instead trying to read all resources in all AWS regions, hence the error.
Top answer 1 of 7
8
SCPs are managed from the organizational master account and applied to member accounts or entire OUs so you need to start there for the “what scps are mapped to my accounts “ question
2 of 7
5
You’re going to need to review SCPs from the billing account. I would pull them all into JSON files and then search for the actions being denied using something like grep or “Find in Files” in VS Code. It’s useful to have them all saved locally, assuming they don’t change often, for this type of review.
AWS
docs.aws.amazon.com › aws organizations › user guide › managing organization policies with aws organizations › authorization policies in aws organizations › service control policies (scps) › service control policy examples › example scps for tagging resources
Example SCPs for tagging resources - AWS Organizations
{ "Version": "2012-10-17", "Statement": [ { "Sid": "DenyCreateSecretWithNoProjectTag", "Effect": "Deny", "Action": "secretsmanager:CreateSecret", "Resource": "*", "Condition": { "Null": { "aws:RequestTag/Project": "true" } } }, { "Sid": "DenyRunInstanceWithNoProjectTag", "Effect": "Deny", "Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:*:*:instance/*" ], "Condition": { "Null": { "aws:RequestTag/Project": "true" } } }, { "Sid": "DenyCreateSecretWithNoCostCenterTag", "Effect": "Deny", "Action": "secretsmanager:CreateSecret", "Resource": "*", "Condition": { "Null": { "aws:RequestTag/CostCenter": "true" } } }, { "Sid": "DenyRunInstanceWithNoCostCenterTag", "Effect": "Deny", "Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:*:*:instance/*" ], "Condition": { "Null": { "aws:RequestTag/CostCenter": "true" } } } ] }
Medium
medium.com › gft-engineering › more-about-aws-service-control-policies-scp-1588ff9bc814
More about AWS Service Control Policies (SCP) | by Leticia Massae | gft-engineering | Medium
April 19, 2023 - AWS Service Control Policies(SCP) are Deny and Allow policies, it works just like any other JSON policy in AWS, but Service Control Policies(SCP) are set it up at the Organization level and are inherited by all other Organization Units, ...
Tutorials Dojo
tutorialsdojo.com › home › aws cheat sheets › aws comparison of services › service control policies (scp) vs iam policies
Service Control Policies (SCP) vs IAM Policies
April 12, 2023 - Service Control Policies (SCP) IAM Policies SCPs are mainly used along with AWS Organizations organizational units
PCG
pcg.io › insights › aws-organization-scps
The powers and limitations of AWS Organization SCPs
July 11, 2023 - This special type of permission policy, usable only in an AWS Organization, has many useful features, which can simplify the administration and security management of your AWS Organization. Since I passed both those certifications successfully, I believed that I had a good understanding of SCPs ...