What Is Service Control Policy? Security Definition
On This Page
What do you want to do?
Quick Definition
A Service Control Policy is like a set of rules set at the top level of an AWS organization that controls what each member account can do. It doesn't give anyone new permissions, but it can block certain actions even if they are allowed by other policies. This helps ensure security and compliance across many accounts without having to configure each one separately.
Common Commands & Configuration
aws organizations create-policy --name "DenyEC2InstanceTypes" --type SERVICE_CONTROL_POLICY --content file://scp.jsonCreates a new SCP from a JSON file. Replace 'scp.json' with your policy JSON. The --type parameter must be SERVICE_CONTROL_POLICY.
Exams test that you know the correct type parameter. Also know that you can update policies with update-policy.
aws organizations attach-policy --policy-id p-exampleid --target-id ou-example-ouidAttaches an existing SCP to an organizational unit (OU) or an account. Use --target-id for the OU or AWS account ID.
Know the difference between attach-policy (console) and attach-scp (CLI). The CLI command is attach-policy. Important for exam scenario questions.
aws organizations list-policies --filter SERVICE_CONTROL_POLICY --query "Policies[*].{Name:Name, Id:Id}"Lists all SCPs in the organization with their IDs. Useful for auditing or scripting.
The --filter parameter must be set to SERVICE_CONTROL_POLICY. Exam tests filtering syntax and the correct filter value.
aws organizations enable-policy-type --root-id r-exampleroot --policy-type SERVICE_CONTROL_POLICYEnables SCPs in the root of the organization. This must be done before you can create or attach any SCP.
If you don't enable SCPs at the root, the policy type is not available. This is a common gotcha in exams and real-world setups.
{"Version":"2012-10-17","Statement":[{"Effect":"Deny","Action":"ec2:RunInstances","Resource":"*","Condition":{"StringLike":{"ec2:InstanceType":"p*.16xlarge"}}}]}SCP JSON that denies launching any EC2 instance type starting with 'p' and ending with '.16xlarge' (GPU instances).
Exams test condition keys like ec2:InstanceType and the format of StringLike. Know that you can use wildcards in string conditions.
aws organizations detach-policy --policy-id p-exampleid --target-id 123456789012Detaches an SCP from a specific account or OU. Use the account number or OU ID as the target.
Detaching a policy does not delete it; it just removes the attachment. Know the difference between detach and delete.
Service Control Policy appears directly in 22exam-style practice questions in Courseiva's question bank — one of the most-tested concepts on CompTIA Security+. Practise them →
Must Know for Exams
Service Control Policies appear in multiple certification exams, especially those focused on AWS governance and security. For the AWS Cloud Practitioner exam, SCPs are a fundamental concept in the Security and Compliance domain. You need to understand that SCPs are used to centrally control permissions across accounts and that they do not grant permissions, only limit them. Questions may ask about the purpose of SCPs or compare them to IAM policies. Cloud Practitioner questions are typically high-level and scenario-based, such as identifying which tool would allow an organization to block the use of a specific service across all accounts.
For the AWS Solutions Architect Associate (SAA) exam, SCPs are more deeply integrated into scenarios involving multi-account architectures, AWS Organizations, and centralized security. You might see questions about designing a secure infrastructure where SCPs are used to enforce region restrictions or prevent resource deletion. You may also need to understand how SCPs interact with IAM policies and resource-based policies. The exam might present a scenario where a security team needs to ensure that no account can disable CloudTrail or delete S3 bucket policy. The correct answer would involve using an SCP with a deny effect.
The AWS SysOps Administrator Associate exam also covers SCPs, particularly in the context of automating governance and managing accounts at scale. You might be asked how to troubleshoot permission issues caused by SCPs or how to implement SCPs to meet compliance requirements. Understanding the evaluation logic is crucial here.
For security certifications like CISSP, SCPs are an example of a centralized access control mechanism that enforces mandatory access control (MAC) across a distributed environment. In CISSP, the focus is on the concept of permission boundaries and how SCPs implement the principle of least privilege at the organizational level. You may not need to write SCP syntax, but you should understand the policy evaluation order and the fact that SCPs can override local permissions.
In CompTIA Security+, SCPs are part of cloud security controls, particularly in the context of IAM and policy management. Questions might compare SCPs to other security controls and ask which one provides the strongest central enforcement.
For Microsoft exams like AZ-104 or SC-900, SCPs are less directly relevant but may appear in comparison with Azure Policy or management groups. However, understanding the concept of a centralized guardrail helps in cross-platform understanding. In those exams, the term SCP is specific to AWS, so it is more about knowing the equivalent in Azure.
Question types vary: direct definition questions, scenario-based multiple choice, and the occasional drag-and-drop or hot area where you must identify where SCPs fit in the policy evaluation order. Common traps include confusing SCPs with IAM policies, forgetting that SCPs do not grant permissions, or thinking that SCPs apply to the management account. Mastering these details will help you avoid those pitfalls.
Simple Meaning
Imagine you are managing a large school district with many schools. Each school has its own principal and staff who can make decisions about what happens at their school. However, as the district superintendent, you want to make sure no school does something dangerous, like spending the entire budget on ice cream or allowing unauthorized people onto campus. A Service Control Policy is like a district-wide rulebook that says, no matter what the local principal allows, certain things are completely off limits. For example, you might have a rule that says no school can delete the main student database or change the security cameras. Even if the principal at a school gives permission to do those things, the district rule overrides it.
In cloud computing, an organization might have dozens or hundreds of AWS accounts for different teams or departments. Without central controls, each account administrator could give permissions that violate security policies or cause compliance issues. Service Control Policies sit at the top of the AWS Organizations hierarchy and establish boundaries. They work like a guardrail: they don't give anyone any new abilities, but they set the maximum scope of what is allowed. If an SCP says you cannot use a specific service, then even if an IAM policy grants that service permission, the action is denied.
This concept is different from an IAM policy, which grants specific permissions to users or roles. SCPs are not about granting permissions; they are about limiting them. Think of it like a castle. The king (management account) sets rules for all the knights (member accounts). The knights can decide who gets keys to which rooms (IAM policies), but if the king declares that the treasury room is off limits to everyone, no key can open that door. SCPs do not replace IAM policies; they work together. First, SCPs define the overall allowed actions, and then IAM policies determine who within that boundary can actually perform those actions.
SCPs can be used to enforce a wide variety of controls, such as preventing the deletion of critical resources, restricting access to certain regions for data sovereignty, or blocking the use of high-cost services. They are essential for organizations that need to maintain security and compliance across multiple accounts without micromanaging every policy. They are also a key tool for implementing the principle of least privilege at scale, because you can centrally block dangerous actions and then trust account administrators to grant only the permissions that remain available.
Full Technical Definition
A Service Control Policy (SCP) is a policy document in JSON format that is used within AWS Organizations to centrally control the maximum available permissions for all accounts in the organization. SCPs are not identity-based policies or resource-based policies; they are a type of organization policy that sets a permission guardrail. They do not grant any permissions by themselves. Instead, they define a boundary within which IAM policies and other permission mechanisms can operate. The effective permission for any principal in a member account is the intersection of the permissions allowed by the SCP and those granted by IAM policies. If a service or action is not explicitly allowed by an SCP, it is implicitly denied, unless the SCP uses a deny effect.
SCPs operate at two main levels: the root of the organization (the top-level container) and individual organizational units (OUs) or accounts. They can be attached to the organization root, to OUs, or directly to member accounts. The policy evaluation follows the hierarchy: SCPs attached at the root affect all accounts, SCPs attached to an OU affect all accounts under that OU, and SCPs attached to an account affect only that account. When multiple SCPs apply, the effective permission is the logical intersection of all allow statements across all SCPs that apply to the account. If any SCP denies an action, that action is denied regardless of allowances. This is similar to the AWS IAM policy evaluation logic, but with an important difference: SCPs do not have an explicit deny override from IAM policies; a deny in an SCP always wins.
SCPs use a syntax similar to IAM policies, including Effect (Allow or Deny), Action (list of AWS service actions), Resource (usually '*' for SCPs), and Condition (optional context keys). However, SCPs have some limitations: they cannot grant permissions, they cannot specify a Principal element because they apply to all principals in the affected accounts, and they cannot use resource-based policies. The Resource element in an SCP is typically set to '*' because the policy applies to all resources in the account. This is because SCPs are about controlling actions, not specific resource access.
When a request is made to an AWS service, the authorization system first evaluates all applicable SCPs. If any SCP denies the action, the request is denied immediately. If no SCP denies the action, the system then evaluates IAM policies, bucket policies, and other permission mechanisms. So SCPs act as an outer filter. This architecture allows central governance teams to enforce compliance requirements without needing to modify every IAM policy in every account. For example, a healthcare organization might use an SCP to block all actions on DynamoDB tables that are not tagged with a specific compliance tag, using the Condition element. Another common use is to restrict access to AWS regions, which is done by denying actions unless the region is in an allowed list.
SCPs are defined in the management account of the organization but affect all member accounts. They can also be used in an organization that has enabled all features. The default SCP behavior is to allow all actions, meaning that if no SCP is attached, the implicit permission boundary is unlimited. Once an SCP is attached, it can restrict permissions. There is also a special type called a FullAWSAccess SCP that explicitly allows all actions. By default, when you enable SCPs, a FullAWSAccess SCP is attached to the root, OUs, and accounts to maintain existing access. If you want to implement a deny-by-default model, you can remove or modify that policy.
In practice, organizations often use a combination of allow lists and deny lists. An allow-list SCP specifies only the services or actions that are permitted, and everything else is implicitly denied. A deny-list SCP specifies actions to block, while allowing everything else. The choice depends on the security posture. Allow lists are more restrictive but harder to maintain as new services are introduced. Deny lists are more permissive but can miss new threats. Many organizations use both: a broad allow list for basic services and specific deny statements for high-risk actions.
SCPs integrate with AWS CloudTrail for logging and AWS Config for compliance monitoring. They are also a key part of the AWS Well-Architected Framework, specifically the Security Pillar, for implementing permission boundaries and centralized governance. SCPs are not available in organizations that use consolidated billing features only; they require the full set of organization features.
SCPs cannot affect the management account itself. The management account has full administrative privileges and is not subject to SCPs, by design. Similarly, service-linked roles and some AWS internal roles are also exempt from SCPs. This ensures that critical AWS services can still operate even if an SCP incorrectly blocks them. Also, SCPs do not apply to the root user of an account, although the root user is still subject to any resource-based policies or IAM boundary policies. However, root user actions can be blocked by SCPs if the SCP applies to the account.
SCPs are an essential tool for multi-account governance, especially for enterprises that must comply with regulations like HIPAA, PCI DSS, or SOC 2. They provide a scalable way to enforce security baselines across hundreds of accounts without requiring changes to each account's IAM setup. They also help prevent accidental privilege escalation by limiting the maximum possible permissions that an account administrator can delegate to users or roles. For example, if an SCP denies the ability to create IAM users, then even an account admin with full IAM permissions cannot create new IAM users. This layer of control is critical for maintaining a strong security posture in large AWS environments.
Real-Life Example
Think of a large shopping mall with many different stores. Each store is like an AWS account. The store owners (account administrators) can manage their own inventory, hire employees, and set their sales policies using IAM policies. However, the mall management (the organization) has overarching rules that all stores must follow. For example, the mall might have a rule that no store can install a permanent wall that blocks the main hallway, or no store can use a fire exit as a storage room. These are like Service Control Policies. Even if a store owner wants to do those things and tries to give permission to a contractor, the mall rules override that permission.
Now imagine a department store chain inside the mall that operates several separate shops (different AWS accounts). The regional manager (the OU) might impose additional rules, like all shops must use the same point-of-sale system vendor. That is an SCP attached to the OU. So the local managers cannot decide to switch to a different system. The SCP blocks that action at the account level.
In the cloud, an enterprise might have a finance account, a development account, a production account, and a security audit account. Without SCPs, if the development account admin accidentally gives a developer full administrator access, that developer could delete the production database if the accounts are connected. With an SCP that blocks delete operations on certain services, even if the developer gets full admin by some mistake, the SCP prevents the destructive action. The SCP acts like a fail-safe, ensuring that local permission errors don't become catastrophic.
Another analogy is a city ordinance. Each household (account) can decide what furniture to buy and where to put it (IAM policies). But the city (organization) has building codes that say you cannot remove load-bearing walls or block fire escapes (SCPs). You can decorate your living room any way you like, but you cannot violate the safety codes. SCPs are similar: they don't tell you what to do, but they tell you what you cannot do, no matter how you try to authorize it.
For exam takers, it's useful to think of SCPs as the outermost layer of a permission boundary. Imagine a set of nested boxes. The biggest box is the SCP boundary. Inside that is the IAM policy boundary. Inside that are the actual permissions. Even if the IAM policy allows something, if the outer SCP box does not allow it, the action is blocked. This nesting helps keep the concept clear.
Why This Term Matters
Service Control Policies matter because they provide a centralized, scalable way to enforce security and compliance across a large number of AWS accounts. Without SCPs, an organization would have to rely entirely on each account administrator to correctly configure IAM policies, which is error-prone and time-consuming. SCPs act as a safety net, ensuring that even if a local administrator makes a mistake or tries to circumvent security, the damage is limited. This is especially important in enterprises that must meet strict regulatory requirements, such as financial services or healthcare, where accidental data exposure or resource deletion can have severe consequences.
In practical IT work, SCPs are used to implement least privilege at the organizational level. For example, an SCP can block the use of root user credentials, enforce the use of multi-factor authentication, restrict access to specific AWS regions for data residency, or prevent the deletion of CloudTrail logs. These controls are vital for maintaining an audit trail and securing sensitive data. SCPs also help with cost management by blocking the launch of expensive instance types in non-production accounts.
For professionals managing multi-account environments, SCPs reduce the overhead of manually auditing each account. Instead of checking hundreds of IAM policies, you can set a few SCPs at the root level and know that certain dangerous actions are never possible. This efficiency is why SCPs are a core component of the AWS landing zone architecture. They are also essential for implementing the principle of boundary enforcement in zero-trust architectures.
From an exam perspective, understanding SCPs is critical for several AWS certifications, as well as security-focused certifications like CISSP and CompTIA Security+. Questions often test the difference between SCPs and IAM policies, how SCPs affect permissions, and what actions they can block. Knowing the hierarchy of policy evaluation and the exceptions (management account, service-linked roles) is key to answering scenario-based questions correctly.
How It Appears in Exam Questions
Service Control Policy questions typically appear in one of several patterns. The first pattern is the definition question: "Which AWS service or feature allows you to centrally control permissions across multiple accounts?" The answer is AWS Organizations with SCPs. Another variation asks: "What is the purpose of a Service Control Policy?" and the correct answer is to set permission guardrails, not to grant permissions.
Scenario-based questions are common. Example: A company has multiple AWS accounts for different business units. The security team wants to ensure that no one in any account can delete the Amazon S3 buckets that contain audit logs. Which solution meets this requirement with minimal operational overhead? The answer is to create an SCP that denies the s3:DeleteBucket action for all accounts. Another scenario: A developer in a member account has full AdministratorAccess IAM policy. However, the developer is unable to launch an EC2 instance of a specific instance type. The question asks for the most likely cause. The correct answer is that an SCP attached to the account or OU denies that action.
Another pattern tests the effect of multiple SCPs. For example: An OU has an SCP that allows only EC2 and S3 services. An account in that OU also has an SCP that denies the s3:DeleteBucket action. What actions are allowed on the EC2 service? The allowed actions are those EC2 actions that are not explicitly denied by any SCP, and within the scope of the allow list. Since allow lists block everything not listed, the effective permission is the intersection: EC2 actions are allowed, but only those not denied by other SCPs. This is a more complex question that requires understanding set theory.
Troubleshooting-style questions ask: An IAM user is unable to perform an action that is explicitly allowed in their IAM policy. What could be the reason? Options include SCP deny, resource-based policy deny, or permission boundary. The correct answer is likely an SCP if the organization uses AWS Organizations.
There are also questions about exceptions: Which entities are not affected by SCPs? The management account, service-linked roles, and some AWS internal roles are exempt. Also, SCPs do not affect the root user of an account if the SCP is configured incorrectly, but generally root user is subject to SCPs, except for some account recovery actions. However, the root user can be blocked by an SCP that denies specific actions.
Finally, questions can ask about the difference between allow-list and deny-list SCPs. For example: Which SCP strategy is more restrictive and requires regular updates as new services are added? The answer is an allow-list SCP because it only permits explicitly listed services, so new services are automatically blocked until added.
Knowing these patterns helps you identify what a question is testing and recall the relevant facts quickly.
Practise Service Control Policy Questions
Test your understanding with exam-style practice questions.
Example Scenario
Imagine FinCorp, a financial services company that uses AWS Organizations with three accounts: a Development account, a Production account, and a SecurityLogs account. The security team wants to prevent anyone from deleting the CloudTrail trails that are used for audit logging. They also want to ensure that no EC2 instances are launched outside the us-east-1 region for compliance reasons.
To achieve this, they create a Service Control Policy named DenyDangerousActions. The policy has two statements: one denies the cloudtrail:DeleteTrail action, and the other denies all EC2 actions unless the request is for the us-east-1 region, using a condition key. The SCP is attached to the organization root, so it applies to all three accounts.
One day, a developer in the Development account, who has full AdministratorAccess IAM policy, tries to delete a CloudTrail trail that she created for testing. Even though her IAM policy allows it, the action is denied because the SCP explicitly denies cloudtrail:DeleteTrail. She doesn't get an error message that clearly says "SCP deny", but her request fails. Another developer tries to launch an EC2 instance in eu-west-1 for a test. That action is also denied because the SCP blocks non-us-east-1 regions.
Meanwhile, the Production account administrator decides to clean up old logs and attempts to delete the SecurityLogs bucket. An SCP denies that action, preventing accidental loss of audit data. The SCP works silently in the background, ensuring the company remains compliant.
This scenario demonstrates how SCPs enforce security rules without requiring changes to each account's IAM policies. The developers still have the flexibility to manage their own resources, but dangerous actions are blocked globally. For the exam, you can expect similar practical cases where you need to identify which policy mechanism (SCP, IAM, or resource policy) is the right tool for centralized enforcement.
Common Mistakes
Thinking that SCPs grant permissions to users or roles.
SCPs are guardrails that limit permissions, they never grant them. Only IAM policies (identity-based or resource-based) grant permissions. An SCP with an Allow effect does not grant any new permissions; it only states what actions are permissible within the boundary. The actual grant still requires an IAM policy.
Always remember: SCPs only set boundaries. They do not give anyone the ability to do something that IAM policies do not already allow. The effective permission is the intersection of SCP allows and IAM allows.
Believing that SCPs affect the management account.
The management account is not subject to SCPs. This is by design to ensure that organization administrators can always manage the organization. If SCPs applied to the management account, it could accidentally lock out the root user.
SCPs only apply to member accounts and OUs. The management account is always exempt. When designing governance, remember that SCPs cannot control the management account itself.
Assuming that an SCP with an Allow statement will automatically grant that permission to all users.
An SCP Allow statement does not replace the need for IAM policies. It only says that the action is within the allowed boundary. The user or role must still have an IAM policy that explicitly allows that action, and other permission boundaries (like permission boundaries on IAM roles) must also allow it.
Think of SCPs as a filter: they can only reduce the set of allowed actions, never increase it. An SCP Allow only permits the action to be considered if IAM also permits it.
Forgetting that SCPs can use both Allow and Deny effects, and that Deny overrides Allow.
Some learners think SCPs work only with Allow lists. In reality, you can use Deny statements to block specific actions even if other SCPs Allow them. A single Deny in any applicable SCP will deny the action, regardless of Allows.
When multiple SCPs apply, the net effect is the intersection of all Allow statements, minus any Deny statements. A Deny always wins. This is similar to IAM policy evaluation but at the organization level.
Confusing SCPs with IAM permission boundaries.
Both are permission guardrails, but they operate at different levels. Permission boundaries are applied to individual IAM roles or users and define the maximum permissions for that principal. SCPs are applied at the organization, OU, or account level and affect all principals in that account. They are not mutually exclusive but work together.
Permission boundaries are per-entity (role/user) boundaries within an account. SCPs are per-account boundaries. They both limit permissions but at different scopes. An SCP can further restrict what a permission boundary allows.
Thinking that SCPs can grant resource access based on Principal elements.
SCPs do not have a Principal element. They apply to all principals in the affected account by default. This is because SCPs are meant to set account-wide boundaries, not to specify who gets access.
In SCPs, the Principal is implicit and is always the set of all users, roles, and services within the affected accounts. Do not try to use Principal in an SCP; it will cause an error.
Exam Trap — Don't Get Fooled
{"trap":"A question describes a scenario where a user in a member account has an IAM policy that allows full access to S3. Yet the user cannot delete an S3 bucket. The question asks what could be the cause.
Many learners choose \"The bucket policy denies the action\" or \"The IAM policy is misconfigured\" because they think the IAM policy is the problem. But the real answer is often that an SCP denies the s3:DeleteBucket action.","why_learners_choose_it":"Learners focus on IAM policies because they are more familiar.
They forget that SCPs can override even permissive IAM policies. Also, the scenario may not mention AWS Organizations explicitly, so learners assume it is a single account environment.","how_to_avoid_it":"Always consider the possibility of an SCP when you see an action being denied despite a permissive IAM policy.
The question might hint at a multi-account setup or mention 'organization' or 'central governance'. If the scenario involves multiple accounts or an enterprise environment, SCP is a top suspect."
Commonly Confused With
An IAM policy is an identity-based or resource-based policy that grants or denies permissions to a specific IAM user, group, or role. A Service Control Policy (SCP) is an organization-level policy that sets a maximum permission boundary for all principals in an account. SCPs do not grant permissions; IAM policies do. SCPs can only limit what IAM policies can allow.
An IAM policy on a user might allow ec2:RunInstances, but an SCP at the account level might deny all EC2 actions. The user cannot launch an instance, even with the IAM policy. The SCP overrides the IAM policy.
A permission boundary is an advanced IAM feature that sets the maximum permissions an IAM role or user can have. It is applied at the individual principal level. In contrast, an SCP is applied at the account or OU level and affects all principals in that account. Both limit permissions, but permission boundaries are more granular and are enforced within an account, while SCPs are enforced across accounts.
If a role has a permission boundary that allows only S3 and DynamoDB, that role cannot use EC2 even if an IAM policy allows it. If an SCP also denies EC2, the role is doubly blocked. If the SCP allows EC2 but the permission boundary does not, the action is denied due to the boundary.
AWS Organizations supports other policy types like Backup policies, Tag policies, and AI services opt-out policies. These govern specific aspects of resource configuration, while SCPs govern permissions. SCPs are about what actions can be taken, not about tagging or backup configurations.
A Tag policy might enforce that all EC2 instances have a specific tag. An SCP might deny the ability to launch an instance without that tag. The policies work together but serve different purposes.
A resource-based policy is attached directly to a resource, like an S3 bucket or a KMS key, and specifies who can access that resource and what actions they can perform. SCPs are attached to accounts or OUs and affect all resources in those accounts. Resource-based policies can grant cross-account access, while SCPs can only block access.
An S3 bucket policy might grant access to users from another account. But if an SCP in the other account denies s3:GetObject, those users cannot access the bucket, even though the bucket policy allows it.
Step-by-Step Breakdown
Enable AWS Organizations with all features
To use SCPs, you must first create an AWS Organization and enable all features. This is done in the management account. After enabling, you can create organizational units (OUs) and invite member accounts. SCPs are not available in a consolidated billing-only setup.
Create a Service Control Policy document
In the management account, navigate to the AWS Organizations console and select Policies, then Service Control Policies. Click Create policy. Write the policy in JSON format. The policy includes statements with Effect (Allow or Deny), Action (list of AWS service actions), Resource (usually '*'), and optional Condition. You can create from scratch or use the visual editor.
Attach the SCP to the desired target
You can attach the SCP to the organization root, to a specific OU, or directly to a member account. Attaching to the root applies the policy to all current and future member accounts. Attaching to an OU applies it to all accounts in that OU. The policy is inherited down the hierarchy.
Understand the default FullAWSAccess policy
By default, a policy named FullAWSAccess is attached to the root, OUs, and accounts. This policy explicitly allows all actions. If you want to restrict permissions, you must either modify or detach this policy and attach your custom SCP. Without this default policy, all actions are implicitly denied.
Evaluate the effective permissions
When a principal in a member account makes a request, AWS evaluates all SCPs attached to the account and its ancestors (root and OUs). The effective permission is the intersection of all Allow statements from all applicable SCPs. Any Deny statement in any SCP overrides all Allows. The resulting allowed actions are then passed to IAM for further evaluation.
Test and monitor with CloudTrail and IAM Access Advisor
After attaching SCPs, test by making API calls from member accounts. You can use IAM Access Advisor to see which services are allowed or denied. CloudTrail logs will show denied requests with an error indicating the policy type (SCP). This helps verify that your SCPs are working as intended.
Update SCPs as the organization evolves
SCPs are not static. As your organization adds new accounts, services, or compliance requirements, you should update your SCPs. For example, when AWS launches a new service, you may need to add it to your allow list if using an allow-list SCP. Review SCPs regularly to avoid unintended blocks.
Separate deny-list and allow-list strategies
Choose a strategy: deny-list (explicitly deny dangerous actions, allow everything else) or allow-list (explicitly allow only necessary services, deny all else). Allow-list is more secure but requires more maintenance. Many organizations use a hybrid approach: a baseline allow list at the root for common services and specific deny statements for high-risk actions.
Practical Mini-Lesson
In practice, Service Control Policies are one of the most powerful tools for an AWS administrator who manages a multi-account environment. They are not something you set once and forget; they require careful planning, regular review, and monitoring. The first step is to understand your organization's security and compliance requirements. For example, if you are subject to data sovereignty laws, you must ensure that no resources are created in restricted regions. An SCP can enforce that by using a condition key like aws:RequestedRegion. The policy might look like: Deny all actions on EC2, S3, and other services unless the region is in an allowed list. This is more effective than relying on each account admin to remember the rule.
Another practical use is to protect audit trails. You can create an SCP that denies the ability to stop, delete, or modify CloudTrail trails, S3 bucket policies for log buckets, and IAM roles used by CloudTrail. This ensures that logs are tamper-proof. Similarly, you can block the ability to disable AWS Config, which is crucial for compliance monitoring.
One of the most common mistakes in practical implementation is overly restrictive policies. For instance, a deny-all SCP that mistakenly blocks required AWS support services can break the organization. Always test SCPs on a test OU first, using a set of test accounts, before applying to production accounts. AWS provides a feature to simulate SCPs using the AWS Policy Simulator, which can help you see the effects before deployment.
What can go wrong? The most common issue is that an SCP becomes too permissive or too restrictive due to misconfiguration. For example, an SCP that denies all EC2 actions except a specific list requires that list to include every EC2 API you need, including ec2:DescribeInstances, which is needed for the console to work. If you miss that, the EC2 console will be broken for all users. Another issue is the interaction with other policies: if you have a permission boundary and an SCP, the effective permission is the intersection of both, which might be more restrictive than intended.
Professionals should also know that SCPs can be used to block the root user of an account from performing certain actions. For example, you can deny the root user from deleting the account or changing support plans. However, you cannot block the root user from performing actions that are necessary for account recovery, like changing the password? Actually, you can block most root actions, but AWS recommends caution because if you lock yourself out, you might need to contact AWS support.
Another important practice is to version control your SCP documents. Since they are JSON files, you can store them in a code repository and use infrastructure-as-code tools like AWS CloudFormation or Terraform to deploy them. This makes updates auditable and reproducible.
Finally, monitor for SCP-related errors. CloudTrail events with an error code of "AccessDenied" that reference a policy type of "SCP" indicate that an SCP blocked an action. You can set up CloudWatch alarms on these events to detect potential issues or security incidents early. This is especially important when you first deploy an SCP, as it may affect legitimate workflows that you hadn't considered.
Service Control Policy Fundamentals for AWS Security and Compliance
A Service Control Policy (SCP) is a policy-based access control mechanism used in AWS Organizations to centrally manage permissions across multiple accounts. SCPs are not identity-based or resource-based policies; instead, they act as a boundary or guardrail that defines the maximum permissions for all IAM users, roles, and service-linked roles in an AWS account or organizational unit (OU). When you attach an SCP to an account or OU, it restricts the actions that principals in those accounts can perform, even if an IAM policy explicitly grants those actions. This is a critical feature for security and compliance because it ensures that no entity in a child account can escalate privileges beyond the defined boundary.
SCPs are written in JSON format and follow the AWS IAM policy language. They can allow or deny specific AWS service actions, resources, and conditions. By default, AWS attaches a FullAWSAccess SCP to every root, OU, and account, which grants all permissions. When you create custom SCPs, you can either use an allow list (deny-by-default) or a deny list (allow-by-default). In a deny list, you explicitly deny specific actions while allowing everything else. In an allow list, you explicitly allow only specified actions and deny everything implicitly. The allow list is more restrictive and is often required for environments with strict compliance requirements, such as SOC 2, HIPAA, or PCI DSS.
Exam relevance: The AWS Certified Cloud Practitioner, AWS Certified Solutions Architect – Associate (SAA), and AWS SysOps Administrator – Associate exams test your understanding of SCPs as a governance tool. The CISSP, CySA+, and Security+ exams focus on the principle of least privilege and centralized policy enforcement, which SCPs directly support. The Microsoft exams (MD-102, MS-102, AZ-104, SC-900) do not cover SCPs directly, but the concept of policy-based access control in Azure (Azure Policy) is analogous, and understanding SCPs helps with cross-cloud comparisons. Key concepts include the difference between SCPs and IAM policies, the inheritance model, and the effect of SCPs on service-linked roles.
Service Control Policy Allow List Strategy: Implementation and Best Practices
An allow list strategy in Service Control Policies (SCPs) is a restrictive approach where you explicitly permit only specific AWS service actions, while implicitly denying all others. This is implemented by creating an SCP that contains an Allow effect for a set of actions, but you must also include a Deny effect for all other actions to enforce the boundary. In practice, you create an SCP with a statement that denies all actions except those you specifically allow. For example, you might allow only Amazon EC2, Amazon S3, and AWS IAM actions for development accounts, while blocking all other services. This ensures that developers cannot accidentally or maliciously use services that are out of scope, such as creating Redshift clusters or accessing sensitive databases like Amazon RDS.
To implement an allow list, you attach the SCP to an organizational unit (OU) or individual account. The policy must include an explicit Deny for all actions, but then you use a NotAction element to exclude the allowed services. Alternatively, you can use multiple statements: one to allow the specific actions and another to deny all remaining actions. The Allow statement does not grant permissions by itself; it only marks those actions as allowed within the SCP boundary. The actual permissions still require an IAM policy or resource-based policy to be effective. The SCP simply ensures that if an IAM policy tries to grant an action not in the allow list, the SCP will block it.
Best practices include starting with a deny list for most environments because it is less likely to break existing workloads. Allow lists are best for high-security environments, such as those handling classified data or financial transactions. You should also use multiple SCPs at different levels of the organization hierarchy: a root-level SCP for global restrictions (like disabling all resources in certain regions) and OU-level SCPs for environment-specific controls (like allowing EC2 only for development OUs). This layered approach reduces complexity and improves manageability. The AWS exams often ask about the trade-offs between allow lists and deny lists, and how SCPs interact with IAM permission boundaries. For instance, an IAM permission boundary and an SCP have similar effects, but SCPs apply to all principals in the account, while permission boundaries apply only to individual roles or users.
How Service Control Policy Cost Governance Works in AWS Organizations
Service Control Policies (SCPs) are a powerful tool for controlling cloud costs in AWS Organizations, but they do not directly manage billing. Instead, SCPs prevent users from creating or modifying resources that could incur unexpected costs. For example, you can create an SCP that denies the ec2:RunInstances action for specific instance types, such as expensive GPU instances like p3.16xlarge. This ensures that developers cannot accidentally provision high-cost resources, keeping the AWS bill predictable. Similarly, you can deny actions like rds:CreateDBInstance for database engines that are costly, or block the creation of resources in expensive regions like Asia Pacific (Tokyo) when you want to enforce usage only in cheaper regions like US East (N. Virginia).
To implement cost controls, you must use condition keys in SCPs. The global condition key aws:RequestedRegion allows you to restrict which regions resources can be created in. The condition key ec2:InstanceType allows you to filter specific EC2 instance types. You can also use resource-level conditions, such as rds:DatabaseEngine to restrict database engine types. For example, to block all EC2 instances of type t2.micro except in specific accounts, you would create a Deny statement with the ec2:InstanceType condition. You can use the aws:ResourceTag condition key to require that resources have cost allocation tags, such as a CostCenter tag. Without proper tags, the action is denied, helping you track costs across accounts.
Cost governance with SCPs also includes preventing the modification of billing settings. SCPs can deny actions like aws-portal:ModifyAccount or aws-portal:ModifyBilling, which prevents IAM users from changing payment methods or turning off billing alerts. This is critical for large organizations where centralized finance teams manage the master payer account. However, SCPs cannot control actions that affect the management account itself; they only apply to member accounts. Also, SCPs cannot prevent actions that have already incurred costs, such as running EC2 instances started before the policy was applied. You need to combine SCPs with AWS Budgets and AWS Cost Explorer for full visibility. The AWS exams frequently test the use of condition keys in SCPs for cost control, especially in the Solutions Architect and SysOps exams. Understanding how to write JSON with conditions is essential.
Service Control Policy Evaluation Logic and Inheritence Model in AWS Organizations
Service Control Policies (SCPs) follow a specific evaluation logic that is essential for exam success. The key rule is that SCPs are not evaluated globally across the organization; instead, they are applied at each level of the organization hierarchy (root, OU, and account). The final effective permissions for an account are the intersection of all SCPs attached to the account itself, all OUs it belongs to, and the root. In other words, the most restrictive policy wins. This is because SCPs are evaluated using a deny-by-default approach for explicit denies, but allow-by-default only if all SCPs in the hierarchy allow the action. If one SCP allows an action and another SCP denies it, the deny overrides the allow. This is different from IAM policies, where an explicit allow overrides a default deny, but an explicit deny overrides any allow. In SCPs, an explicit deny always wins.
The inheritance model is straightforward: SCPs attached to a parent OU propagate to all child OUs and accounts. However, if you attach a new SCP directly to an account, that SCP does not propagate upwards to OUs or the root. You can also create multiple SCPs at the same level, and they are evaluated together. For example, if a root-level SCP denies ec2:RunInstances, and an OU-level SCP allows ec2:RunInstances, the result is a deny because the explicit deny from the root-level SCP overrides the allow. To allow the action, you must either remove the root-level deny or attach an allow statement that does not conflict. Importantly, SCPs do not grant permissions; they only set boundaries. The actual permissions come from IAM policies. So, even if an SCP allows an action, the user must still have an appropriate IAM policy to perform that action.
The evaluation logic also includes service-linked roles. Service-linked roles (SLRs) are special roles created by AWS services that have their own trust policies. SCPs can affect SLRs only if the SCP explicitly denies the actions that the SLR performs. For most SLRs, the default FullAWSAccess SCP allows all actions, so blocking specific actions may break the service. Therefore, when creating restrictive SCPs, you must be careful not to deny actions required by AWS services like Amazon Inspector or AWS Config. The exam scenarios often present a scenario where an admin attaches a restrictive SCP and then a service fails to work properly, testing the understanding of SLR and SCP interaction. Another common exam question involves the use of the SCP effect to block root user actions (like changing account settings) by denying the action aws-portal:ModifyAccount, but note that root user itself in the master account cannot be blocked by SCPs because SCPs do not apply to the management account.
Troubleshooting Clues
SCP not taking effect for specific IAM user
Symptom: IAM user can still perform actions that should be denied by the SCP.
SCPs apply to all principals in the account, but the IAM user might be using a role that has a permission boundary. Also, check if the SCP is attached to the correct account or OU. SCPs attached to the root or OUs propagate to child accounts. A common misconfiguration is attaching the SCP to the wrong target.
Exam clue: Exam questions often have a scenario where a user is in a child account but the SCP is only attached to the root OU. The user gets permissions because the SCP did not propagate correctly.
SCP blocking service-linked role operations
Symptom: An AWS service (like AWS Config or Amazon Inspector) fails to create resources or list resources.
Service-linked roles have a trust policy that AWS creates. If an SCP denies actions that the SLR needs to perform (like ec2:DescribeInstances), the service breaks. SCPs cannot be prevented from affecting SLRs unless you have an explicit allow for the actions.
Exam clue: The exam tests that SCPs can affect SLRs. A scenario where a service stops working after attaching a restrictive SCP is a common question.
FullAWSAccess SCP not visible in management account
Symptom: When listing policies in the management account, the FullAWSAccess policy is not returned.
The FullAWSAccess SCP is automatically attached to the root, OUs, and accounts by default, but it is not created as a policy object in the management account. It is a built-in default policy. You cannot delete it, but you can detach it.
Exam clue: Know that FullAWSAccess is a default policy that is attached automatically. If you detach it, all actions are denied by default until you create an allow list policy.
SCP denies action but IAM policy allows it: SCP still blocks
Symptom: User has an IAM policy that allows ec2:RunInstances, but the instance launch fails with access denied.
SCP evaluation is separate from IAM. If the SCP denies the action, it overrides any allow in the IAM policy. This is by design for centralized guardrails.
Exam clue: Classic exam question: 'Which policy wins: SCP deny or IAM allow?' Answer: SCP deny always wins.
SCP not inherited by child accounts when attached to parent OU
Symptom: After attaching an SCP to an OU, some accounts under that OU still have full access.
Ensure that the SCP is attached directly to the OU, not just to the root. Also, check if the child accounts have their own SCP attached that allows the action. Inheritance combines all SCPs in the hierarchy; if one child account has its own SCP that allows the action and the parent OU does not deny it, the action may be allowed.
Exam clue: Exams test inheritance: SCPs attached to parent OUs affect all child accounts. But if a child account has its own SCP, both are evaluated.
EnablePolicyType fails with 'AlreadyExistsException'
Symptom: When running the enable-policy-type command, AWS returns an error saying the policy type already exists.
SCPs may already be enabled if you have used AWS Organizations in the past. You can check by describing the organization and looking at the AvailablePolicyTypes field.
Exam clue: Know that if SCPs are already enabled, you cannot enable them again. The exam may ask about the error message or how to verify the current state.
SCP policy syntax is invalid
Symptom: When creating an SCP, AWS returns a policy syntax error message.
SCPs follow the IAM policy language but have restrictions. For example, you cannot use 'Effect': 'Allow' without having a corresponding 'NotAction' deny. Also, some actions like 'iam:PassRole' are not supported in SCPs. Check the AWS documentation for SCP-specific limitations.
Exam clue: The exam may present an SCP JSON with invalid syntax (like missing Version or misspelled keys) and ask what the error is.
Memory Tip
SCP stands for Service Control Policy. For acronym: "Security Controls Protect." For concept: "SCPs Set the Ceiling, IAM gives the Permissions", think of an SCP as the ceiling height in a room; it does not lift you up, but it stops you from going too high.
Learn This Topic Fully
This glossary page explains what Service Control Policy means. For a complete lesson with labs and practice, see the topic guide.
Covered in These Exams
Current Exam Context
Current exam versions that test this topic — use these objectives when studying.
CISSPCISSP →CS0-003CompTIA CySA+ →SY0-701CompTIA Security+ →MD-102MD-102 →MS-102MS-102 →AZ-104AZ-104 →SC-900SC-900 →CLF-C02CLF-C02 →SAA-C03SAA-C03 →SOA-C02SOA-C02 →220-1102CompTIA A+ Core 2 →CDLGoogle CDL →ISC2 CCISC2 CC →Related Glossary Terms
Two-factor authentication (2FA) is a security method that requires two different types of proof before granting access to an account or system.
AAA (Authentication, Authorization, and Accounting) is a security framework that controls who can access a network, what they are allowed to do, and tracks what they did.
An A record is a type of DNS resource record that maps a domain name to an IPv4 address.
Quick Knowledge Check
1.An AWS Administrator attaches a Service Control Policy (SCP) to an organizational unit (OU) that denies the ec2:RunInstances action. An IAM user in a child account under that OU has an IAM policy that allows ec2:RunInstances. What happens when the user tries to launch an EC2 instance?
2.When using a Service Control Policy with an allow list strategy, which of the following statements is correct about the default behavior?
3.A company uses AWS Organizations with multiple accounts. They attach an SCP to the root that denies the s3:DeleteBucket action. Later, they attach another SCP to an OU that allows s3:DeleteBucket. What is the effective permission for an IAM user in a child account under that OU?
4.Which of the following AWS services is affected by a Service Control Policy that denies the ec2:DescribeInstances action?
5.An AWS administrator wants to enforce that all EC2 instances created in member accounts must have a tag with key 'CostCenter'. Which condition key should they use in an SCP?