This chapter covers Service Control Policies (SCPs), a critical governance feature of AWS Organizations. SCPs allow you to centrally control the maximum permissions for all accounts in your organization. For the CLF-C02 exam, this objective falls under Domain 3: Cloud Technology Services, and you can expect 1-2 questions on SCPs, often comparing them to IAM policies or permission boundaries. Mastering SCPs is essential for understanding how AWS enforces security and compliance at scale.
Jump to a section
Imagine a multinational corporation with many departments. The CEO sets a company-wide policy: 'No department may sign contracts over $1 million without board approval.' This is an SCP — a guardrail that applies to everyone, even the most senior VPs. Within that boundary, each VP can delegate authority to their managers: a VP of Engineering can say 'Managers can approve up to $50k for cloud resources.' That's an IAM permission boundary — it limits what a manager can do, but the manager can still grant permissions within that limit. Now, a specific manager might have an IAM policy that says 'Allow EC2 start/stop.' But if the SCP says 'Deny all EC2 operations,' that manager's permission is irrelevant because the SCP overrides. SCPs work like a filter: they set a maximum allowed set of actions for all accounts in an AWS Organization. Even the root user of a member account is subject to SCPs. However, SCPs never grant permissions; they only define a permission guardrail. To actually perform an action, an IAM policy must also allow it. Think of SCPs as the corporate bylaws, IAM permission boundaries as departmental charters, and IAM policies as individual job descriptions.
What Are Service Control Policies (SCPs) and the Problem They Solve
Service Control Policies (SCPs) are a feature of AWS Organizations that enable you to centrally manage permissions across multiple AWS accounts. They are not a substitute for IAM policies; rather, they act as a guardrail that defines the maximum permissions that any principal (user, group, or role) in a member account can have. The core problem SCPs solve is the lack of centralized control in multi-account environments. Without SCPs, each account administrator can grant any permission to any user, potentially leading to security breaches or compliance violations. For example, a developer in a sandbox account could accidentally grant themselves full administrative access, which is risky in production. SCPs allow a central governance team to enforce policies like "No account can delete S3 buckets" or "Only approved services can be used."
How SCPs Work
SCPs are JSON policy documents that you attach to an AWS Organization root, an organizational unit (OU), or a specific member account. They affect all IAM users, groups, and roles within the target accounts, including the root user. However, SCPs do not grant permissions; they only define a filter. For an action to be allowed, both the SCP and the IAM policy must allow it (explicit allow). If either denies it, the action is denied. This is known as the "effective permissions" model: the intersection of the SCP and the IAM policy.
SCPs support two types of policies: - Allow lists: By default, all actions are denied. You explicitly list allowed actions. This is more restrictive and is commonly used for high-security environments. - Deny lists: By default, all actions are allowed. You explicitly list denied actions. This is more permissive and is typical for most organizations.
Key details:
SCPs are inherited: a policy attached to the root affects all accounts; a policy attached to an OU affects all accounts in that OU. The most restrictive policy applies (i.e., if any SCP denies an action, it is denied).
SCPs cannot be used to grant permissions to service-linked roles or to the management account itself (the management account is not subject to SCPs).
SCPs have a size limit of 5,120 characters per policy.
Key Tiers, Configurations, and Pricing
SCPs are a feature of AWS Organizations, which is free of charge. However, you must enable all features in your organization to use SCPs. There is no additional cost for SCPs themselves. The only pricing consideration is the number of policies you create and the number of attachments, but these are within generous limits (up to 1,000 SCPs per organization, up to 15 policies per target).
Comparison to On-Premises or Competing Approaches
In an on-premises environment, you might use Active Directory Group Policy Objects (GPOs) to enforce settings across computers. However, GPOs control operating system settings, not cloud API permissions. SCPs are more analogous to a centralized IAM governance layer. Competing cloud providers like Google Cloud have Organization Policies, which function similarly but use a different syntax. Azure has Azure Policy, which can enforce tags or resource types but also includes Azure RBAC for role assignments. SCPs are unique in that they apply to all principals in an account, including the root user.
When to Use SCPs vs Alternatives
Use SCPs when you need to enforce baseline restrictions across all accounts, such as disallowing deletion of logs or restricting access to certain AWS services.
Use IAM permission boundaries when you want to limit the maximum permissions that an IAM entity can have, but you still want to delegate permission management to account administrators.
Use IAM policies for fine-grained permissions for specific users or roles.
SCPs are ideal for large organizations with many accounts that need to comply with regulatory requirements (e.g., PCI-DSS, HIPAA).
Example SCP (Deny List)
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"iam:CreateUser",
"iam:DeleteUser"
],
"Resource": "*"
}
]
}This SCP denies the ability to create or delete IAM users in any account it is attached to.
Example SCP (Allow List)
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:Describe*",
"s3:GetObject"
],
"Resource": "*"
}
]
}This SCP only allows EC2 describe actions and S3 GetObject. Everything else is implicitly denied.
Enable AWS Organizations
To use SCPs, you must first create an AWS organization. If you already have one, ensure that all features are enabled (not just consolidated billing). Go to the AWS Organizations console, choose 'Create organization', and then enable all features. This step is irreversible; once enabled, you can use SCPs and other advanced features. The management account is automatically created and is not subject to SCPs. You then invite existing accounts or create new ones as member accounts.
Create a Service Control Policy
In the AWS Organizations console, navigate to 'Policies' and then 'Service control policies'. Click 'Create policy'. You can use the visual editor or write JSON. Define the policy effect (Allow or Deny), actions, and resources. For example, to deny access to the EC2 RunInstances action, set Effect to 'Deny', Action to 'ec2:RunInstances', and Resource to '*'. Save the policy with a name and description. You can create up to 1,000 SCPs per organization.
Attach the SCP to a Target
Select the SCP you created and choose 'Attach'. You can attach it to the organization root, an OU, or a specific member account. The policy is inherited by all accounts under that target. For example, attaching a deny policy to the root affects every account in the organization. Attaching to an OU affects only accounts in that OU. You can attach up to 15 SCPs to each target. The effective permissions are the intersection of all attached SCPs and the account's IAM policies.
Test the SCP
After attaching the SCP, log in to a member account as an IAM user with full admin permissions. Attempt the denied action (e.g., launching an EC2 instance). You should receive an 'AccessDenied' error. Note that SCPs apply immediately, but there may be a short propagation delay (usually seconds). Also test that allowed actions still work. Use the IAM policy simulator in the AWS console to test effective permissions without actually performing the action.
Monitor and Audit SCPs
Use AWS CloudTrail to log API calls that are denied by SCPs. CloudTrail records the event with an error code 'AccessDenied' and a message indicating the SCP that caused the denial. You can also use AWS Config rules to check that SCPs are attached to all accounts. Regularly review SCPs to ensure they are not overly restrictive, which can block legitimate operations. Use the IAM Access Analyzer to identify unused permissions and refine your SCPs.
Scenario 1: Financial Services Compliance
A bank uses AWS Organizations with 100 accounts. They need to comply with PCI-DSS, which requires that production data cannot be deleted or modified outside of change windows. The central security team creates an SCP that denies s3:DeleteObject, s3:PutObject, and dynamodb:DeleteItem for all accounts except a change management account. This SCP is attached to the production OU. Developers in production accounts cannot accidentally delete data. However, they can still read data via IAM policies. The SCP also denies iam:CreateUser to prevent creation of new users without oversight. When a security auditor requests a report, CloudTrail logs show that any denied attempt is recorded with the SCP name, providing full audit trail. The cost is zero for SCPs; the only cost is CloudTrail logging if trails are enabled.
Scenario 2: SaaS Startup with Developer Sandboxes
A startup has 20 accounts: one for each developer. They want to ensure that developers cannot launch expensive resources or access production data. The central IT team attaches an SCP that denies ec2:RunInstances with instance types larger than t3.large, and denies rds:CreateDBInstance. This SCP is applied to the 'sandbox' OU. Developers can still launch small instances and use RDS if needed, but they are limited. One developer misconfigures an IAM policy that grants full admin access, but the SCP prevents them from launching a large instance, saving costs. Without SCPs, the developer could have launched a p3.16xlarge instance, costing thousands of dollars per hour. The SCP also denies access to the AWS billing console, preventing developers from viewing cost data.
Scenario 3: Government Agency with Strict Data Sovereignty
A government agency requires that all data remain in the US region. They create an SCP that denies all actions on resources outside us-east-1 and us-west-2. The SCP uses a condition key 'aws:RequestedRegion' to deny if the region is not in the allowed list. This SCP is attached to the root, affecting all accounts. Without SCPs, an account administrator could accidentally launch resources in eu-central-1, violating data sovereignty. The SCP also denies iam:CreateServiceLinkedRole to prevent automatic creation of roles that might access other regions. The agency uses AWS Config to monitor compliance and receives alerts if any resource is created outside allowed regions. The SCP ensures that even if an IAM policy allows cross-region actions, the SCP blocks them.
What CLF-C02 Tests on SCPs
Domain 3 (Cloud Technology Services) includes questions on SCPs as part of 'AWS Organizations'. You need to know:
SCPs are used to centrally control permissions for all accounts in an organization.
SCPs do not grant permissions; they only define a guardrail.
SCPs affect all IAM users, groups, and roles, including the root user of member accounts.
The management account is NOT subject to SCPs.
SCPs can be allow lists or deny lists.
SCPs are inherited from root to OU to account.
Effective permissions are the intersection of SCPs and IAM policies.
Common Wrong Answers and Why
"SCPs can grant permissions." This is false. SCPs only filter; they never grant. Candidates confuse SCPs with IAM policies.
"SCPs apply to the management account." False. The management account is exempt. Candidates think all accounts are equal.
"SCPs replace IAM policies." False. Both are needed. Candidates think SCPs are a substitute.
"SCPs are evaluated before IAM policies." Not exactly; they are evaluated together. The effective permission is the intersection. Candidates think there's a strict order.
Specific Terms and Values on the Exam
AWS Organizations
Management account (formerly master account)
Organizational Unit (OU)
Service Control Policy (SCP)
Allow list vs Deny list
Effective permissions
Root user (of member accounts)
Policy size limit: 5,120 characters
Maximum 1,000 SCPs per organization
Maximum 15 SCPs per target
Tricky Distinctions
SCP vs IAM Permission Boundary: Both limit maximum permissions, but SCPs apply to all principals in an account, while permission boundaries apply to a specific IAM entity. SCPs are set at the organization level; permission boundaries are set per IAM role/user.
SCP vs IAM Policy: IAM policies grant or deny permissions to specific principals. SCPs are account-wide guardrails. Both must allow for an action to be allowed.
Decision Rule for Multiple Choice
If a question asks about centrally controlling permissions across many accounts, look for SCPs. If it asks about limiting a specific user's permissions, look for IAM permission boundaries or IAM policies. If it mentions 'guardrail' or 'maximum permissions', it's likely SCPs.
SCPs are a feature of AWS Organizations used to centrally control permissions across all accounts.
SCPs do not grant permissions; they only define a guardrail (maximum allowed set).
The management account is not subject to SCPs; member accounts are, including the root user.
Effective permissions = intersection of SCPs and IAM policies.
SCPs can be allow lists (implicit deny) or deny lists (explicit deny).
You can attach up to 15 SCPs per target and create up to 1,000 SCPs per organization.
SCPs are free to use; only standard AWS Organizations costs apply (none).
SCPs are inherited from root to OU to account; the most restrictive policy applies.
These come up on the exam all the time. Here's how to tell them apart.
Service Control Policy (SCP)
Applies to all principals in an account (root, users, roles).
Set at the organization, OU, or account level.
Cannot grant permissions; only defines a maximum.
Affects even the root user of member accounts.
Managed in AWS Organizations console.
IAM Permission Boundary
Applies to a specific IAM user or role.
Set at the IAM entity level.
Also defines maximum permissions but does not grant.
Does not affect the root user.
Managed in IAM console.
Mistake
SCPs can grant permissions to users in member accounts.
Correct
SCPs never grant permissions; they only define a maximum allowed set. Permissions must still be granted via IAM policies.
Mistake
SCPs apply to the management account.
Correct
SCPs do not apply to the management account. They only affect member accounts.
Mistake
SCPs replace the need for IAM policies.
Correct
SCPs and IAM policies work together. An action is allowed only if both the SCP and the IAM policy allow it.
Mistake
SCPs can be used to deny access to the AWS Management Console.
Correct
SCPs can deny actions, but they cannot directly block console access. To block console access, you must deny the 'aws:RequestedRegion' or specific console actions like 'iam:CreateUser'.
Mistake
SCPs are evaluated after IAM policies.
Correct
SCPs and IAM policies are evaluated together. The effective permission is the intersection of both. There is no sequential order.
An SCP is a guardrail that sets the maximum permissions for all principals in an account, but it never grants permissions. An IAM policy grants or denies permissions to specific users, groups, or roles. For an action to be allowed, both the SCP and the IAM policy must allow it. Exam tip: If a question mentions 'centrally controlling permissions across accounts,' think SCPs; if it mentions 'granting permissions to a user,' think IAM policies.
Yes. SCPs apply to the root user of member accounts. For example, you can create an SCP that denies the root user from performing certain actions. However, the root user of the management account is not affected by SCPs. Exam tip: Remember that the management account is exempt from SCPs, but member account root users are not.
The account becomes effectively locked down. No IAM user or role (including the root user) can perform any AWS API call. However, the root user can still sign in to the AWS Management Console, but they will see access denied errors for most actions. To recover, you must detach the SCP from the account using the management account. Exam tip: This is a common scenario to test understanding of SCP severity.
SCPs are inherited from the organization root to OUs to accounts. If you attach an SCP to the root, it applies to all accounts. If you attach an SCP to an OU, it applies to all accounts in that OU. If multiple SCPs are attached, the effective policy is the intersection of all SCPs (most restrictive). Exam tip: The most restrictive SCP wins; if any SCP denies an action, it is denied.
Indirectly, yes. SCPs can use condition keys like 'aws:RequestTag' or 'aws:ResourceTag' to require specific tags. For example, you can deny ec2:RunInstances unless the request includes a tag 'Environment=Production'. However, SCPs cannot enforce that existing resources have tags; for that, use AWS Config rules. Exam tip: SCPs can control actions at the time of request, not retroactively.
SCPs are global, but you can use condition keys to restrict actions to specific regions. For example, you can deny ec2:RunInstances unless the region is us-east-1. This is done using the 'aws:RequestedRegion' condition key. Exam tip: SCPs apply globally unless you add region conditions.
No. SCPs do not affect service-linked roles. Service-linked roles are predefined by AWS services and are exempt from SCPs. Exam tip: This is a common trick question; remember that service-linked roles bypass SCPs.
You've just covered Service Control Policies and SCPs — now see how well it sticks with free CLF-C02 practice questions. Full explanations included, no account needed.
Done with this chapter?