This chapter covers AWS Organizations and Service Control Policies (SCPs), a critical topic for the Security Compliance domain of the CLF-C02 exam. Understanding how to centrally manage multiple AWS accounts and apply permission guardrails is essential for enterprise governance. This objective represents approximately 10-15% of the Security Compliance domain, making it a high-yield study area. By the end of this chapter, you will understand how to create an organization, organize accounts into organizational units (OUs), and attach SCPs to enforce security boundaries across your entire AWS environment.
Jump to a section
Imagine a large corporation with multiple divisions: Retail, Finance, and R&D. The corporate headquarters (AWS Organizations) owns the entire company. Each division is a separate business unit (AWS account) with its own budget and team. The CEO (management account) can set company-wide rules, like 'no division may hire contractors without approval' or 'all purchases over $10,000 must be signed by the CFO'. These rules are written as official policies (Service Control Policies, or SCPs). The CEO can apply a policy to the entire company (root organizational unit) or to specific divisions (OUs). If a policy says 'no contractor hiring', the HR department in any division cannot hire contractors, even if the division head wants to. But the CEO can also delegate some authority: the Retail division can have its own policy that says 'all marketing hires need VP approval', as long as it doesn't conflict with the company-wide rule. The key mechanism: SCPs are like guardrails that set permissions boundaries. They do not grant permissions; they simply say what is allowed or denied. If an SCP denies an action, it cannot be done, even if an IAM policy grants it. This is analogous to a corporate policy that overrides local decisions. If the CEO removes the 'no contractor' policy, divisions can then decide for themselves. SCPs are inherited: a policy applied to the parent OU flows down to all child OUs and accounts. This hierarchical structure mirrors how many enterprises organize their subsidiaries, with centralized control but operational autonomy within boundaries.
What is AWS Organizations and the Problem It Solves
AWS Organizations is a free service that enables you to centrally manage multiple AWS accounts. As your business grows, you might have separate accounts for development, testing, production, and different business units. Without a central management tool, each account is a silo – you must log in to each one to apply policies, track costs, and manage users. This leads to inconsistent security, billing chaos, and operational overhead.
AWS Organizations solves this by providing a single point of control. You designate one account as the management account (formerly called the master account). From this account, you can create new accounts, invite existing accounts to join, group accounts into organizational units (OUs), and apply policies across the entire organization. The most important policies are Service Control Policies (SCPs), which set permission guardrails that apply to all accounts in an OU or the whole organization.
How AWS Organizations Works – The Mechanism
When you create an organization, AWS automatically creates a root container. All accounts are placed under this root. You can then create OUs as sub-containers. For example:
- Root - Security OU (contains audit account, logging account) - Workloads OU - Production OU (contains prod accounts) - Development OU (contains dev accounts)
Each account can be in only one OU at a time. The management account is always separate and not subject to SCPs by default (though you can apply SCPs to it, but it's not recommended).
SCPs are JSON policy documents that specify allowed or denied actions. They use the same syntax as IAM policies but have a different effect. An SCP does not grant permissions – it defines a maximum permission boundary. For a user or role to actually perform an action, three conditions must be met:
The SCP must allow the action (or not deny it).
The IAM policy attached to the user/role must allow the action.
There must be no explicit deny in either the SCP or IAM policy.
If an SCP denies an action, it is blocked regardless of what IAM policies say. This is the key difference from IAM: SCPs act as an overarching guardrail.
Key Tiers, Configurations, and Pricing
AWS Organizations itself is free. There is no cost to create an organization, create OUs, or attach policies. However, you pay for the AWS services used in each member account (e.g., EC2, S3). The management account can consolidate billing, giving you volume discounts across all accounts.
There are two feature sets:
Consolidated Billing: Only the billing feature is enabled. You can see combined costs but cannot apply SCPs.
All Features: Enables SCPs, account creation via API, and other advanced features. You must enable all features to use SCPs.
Limits:
Maximum of 5 accounts you can create per 24-hour period (soft limit, can be increased).
Maximum of 1,000 SCPs per organization.
Maximum of 5,120 characters per SCP (including whitespace).
Maximum of 1,000 OUs per organization.
Comparison to On-Premises or Competing Approaches
In an on-premises environment, centralizing security policies across multiple business units often requires separate directory services, network segmentation, and manual configuration. AWS Organizations provides a cloud-native way to enforce policies at scale. Without it, you would need to replicate IAM policies across every account manually, which is error-prone. Competing cloud providers offer similar services (e.g., Azure Management Groups with Azure Policy, GCP Organizations with Organization Policies). However, AWS Organizations is tightly integrated with IAM, making it a foundational component for multi-account strategies.
When to Use AWS Organizations vs Alternatives
Use AWS Organizations when: You have multiple AWS accounts and need centralized billing, policy enforcement, or account management. It's essential for enterprises that follow the multi-account strategy recommended by AWS Well-Architected Framework.
Alternatives: If you have only one account, you don't need Organizations. For simple billing consolidation without SCPs, you could use Consolidated Billing alone (but that's a subset of Organizations features). For fine-grained permissions within a single account, use IAM. For compliance frameworks like PCI-DSS, SCPs are often required to enforce restrictions across accounts.
How SCPs Work in Detail
SCPs are attached to the root, OUs, or directly to accounts. They are inherited by all child OUs and accounts. For example, if you attach an SCP to the root that denies all actions on EC2, no account in the organization can use EC2. If you attach an SCP to the Production OU that denies deleting CloudTrail trails, only accounts in Production are affected.
SCPs can use allow lists or deny lists. An allow list explicitly allows only specific actions (denying everything else by default). A deny list explicitly denies certain actions while allowing everything else. AWS recommends starting with a deny list approach to avoid accidentally blocking necessary services.
Example SCP (deny list):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"iam:CreateUser",
"iam:DeleteUser"
],
"Resource": "*"
}
]
}This SCP prevents any account in the target OU from creating or deleting IAM users. Note that the management account is not affected by default.
Best Practices
Always enable All Features if you plan to use SCPs.
Use OUs to reflect your organizational structure (e.g., by environment, business unit, or compliance requirements).
Apply SCPs at the highest level possible to reduce duplication.
Use AWS CloudTrail to log all API calls, including those denied by SCPs.
Test SCPs in a non-production OU first.
Remember that SCPs affect all principals in the account, including the root user of member accounts. However, the root user of the management account is not affected.
Create an AWS Organization
Sign in to the AWS Management Console as the root user or an admin of the account that will become the management account. Navigate to AWS Organizations and choose 'Create organization'. AWS will create the organization with a root container. By default, only consolidated billing features are enabled. To use SCPs, you must enable all features. Go to the Settings tab and choose 'Enable all features'. Confirm the change. Behind the scenes, AWS creates a service-linked role named `AWSServiceRoleForOrganizations` in the management account to allow Organizations to manage accounts and policies. This step is irreversible – once you enable all features, you cannot go back to consolidated billing only.
Invite or Create Member Accounts
To add existing AWS accounts, go to the 'Accounts' tab and choose 'Add account' > 'Invite account'. Enter the email address or account ID of the target account. The owner of that account will receive an invitation email and must accept it. To create new accounts directly from the management account, choose 'Create account'. You must provide an email address that is not already associated with an AWS account. AWS will create the account with root credentials sent to that email. You can also use the AWS Organizations API or CLI to automate account creation. Behind the scenes, AWS creates a new account and automatically attaches it to the specified OU (or the root if none specified). The management account can assume a role in the new account to configure it.
Create Organizational Units (OUs)
OUs help you group accounts for policy application. In the AWS Organizations console, select the root and choose 'Create new'. Name the OU (e.g., 'Production', 'Development'). You can nest OUs up to 5 levels deep. Drag and drop accounts into the appropriate OUs. For example, move your production accounts into a 'Production' OU, which might be under a 'Workloads' OU. AWS does not enforce any rules on how you structure OUs; it's purely organizational. However, the structure determines how SCPs are inherited. An SCP attached to a parent OU flows down to all child OUs and accounts.
Create Service Control Policies (SCPs)
In the Policies tab, choose 'Create policy'. You can write the policy JSON manually or use the visual editor. For example, to deny the ability to disable CloudTrail or delete logs, create a deny policy. Name it something descriptive like 'DenyCloudTrailDeletion'. Use the JSON editor to define the effect, actions, and resources. A common practice is to create an 'allow list' policy that only allows specific services (e.g., 'Allow only EC2, S3, and IAM'). Then attach that SCP to an OU. Behind the scenes, AWS stores the policy and assigns it an ID (e.g., `p-examplepolicyid`). You can create up to 1,000 SCPs per organization.
Attach SCPs to OUs or Accounts
Select an OU or account in the console, go to the 'Policies' tab, and choose 'Attach'. Select the SCP you created. You can attach multiple SCPs per target. The effective permissions are the intersection of all attached SCPs (i.e., if any SCP denies an action, it is denied). For example, if you attach a deny policy for 'iam:CreateUser' to the root and an allow policy for all IAM actions to a child OU, the deny still applies because SCPs are additive. The management account is not affected by SCPs unless you explicitly attach them (not recommended). AWS recommends using the `FullAWSAccess` policy as a baseline (it allows all actions) and then attaching deny policies to restrict. When you enable all features, AWS automatically creates a default `FullAWSAccess` SCP and attaches it to the root.
Scenario 1: Enterprise Compliance with PCI-DSS
A financial services company must comply with PCI-DSS, which requires strict controls over who can access production environments. They use AWS Organizations to manage over 50 accounts. The security team creates OUs for 'PCI-Production', 'PCI-Testing', and 'Non-PCI'. They attach SCPs to the 'PCI-Production' OU that:
Deny iam:CreateUser, iam:DeleteUser, iam:UpdateUser to prevent unauthorized user management.
Deny ec2:RunInstances with instance types not approved (using condition keys).
Deny cloudtrail:StopLogging and cloudtrail:DeleteTrail to ensure audit logging remains enabled.
When a developer tries to launch an unauthorized instance type, the SCP denies the API call even if the developer's IAM role allows it. This enforces compliance without relying on individual account administrators. The security team uses AWS CloudTrail to monitor denied API calls and receives alerts if anyone attempts a blocked action. Cost: the SCPs themselves are free, but the organization pays for the underlying resources in each account. Misconfiguration: if the security team accidentally attaches a deny-all SCP to the root, all accounts lose access. They always test new SCPs on a single test account first.
Scenario 2: Centralized Billing and Cost Control
A startup uses AWS Organizations to consolidate billing across 10 accounts for different teams (engineering, marketing, data science). The finance team uses the management account to view a single bill and get volume discounts. They also use SCPs to enforce cost controls. For example, they attach an SCP to the 'Development' OU that denies ec2:RunInstances with instance types larger than t3.large. This prevents developers from accidentally launching expensive instances. They also deny rds:CreateDBInstance for database instances that are not db.t3.micro. This keeps development costs low. The SCPs do not grant permissions; they only set boundaries. Developers still need IAM roles that allow EC2 actions, but the SCP ensures they cannot exceed the size limit. If a developer needs a larger instance for a legitimate reason, they must request an exception from the finance team, who can temporarily detach the SCP or create a new one with a broader allowance. This workflow balances autonomy and control.
Scenario 3: Multi-Account Governance Gone Wrong
A company creates an organization but does not enable all features, so they cannot use SCPs. They rely on IAM policies in each account, but these are inconsistent. An administrator in one account accidentally deletes a critical S3 bucket because there is no central policy to prevent it. Later, they enable all features and attach a deny SCP to prevent s3:DeleteBucket. However, they forget to attach the FullAWSAccess policy to new accounts, causing all users to lose access. The root user of the management account can still access accounts, but day-to-day operations stop. They learn to always attach the FullAWSAccess policy to the root OU and then apply deny policies as needed. This scenario highlights the importance of understanding SCP inheritance and the default FullAWSAccess policy.
What CLF-C02 Tests on This Objective
The CLF-C02 exam covers AWS Organizations and SCPs under Domain 2: Security and Compliance, Objective 2.2: 'Identify the security and compliance benefits of using AWS Organizations and SCPs'. You are expected to know:
The purpose of AWS Organizations (central management of multiple accounts, consolidated billing).
The difference between the management account and member accounts.
What SCPs are and how they differ from IAM policies.
That SCPs set permission boundaries and do not grant permissions.
That SCPs affect all users and roles in member accounts, including the root user.
That the management account is not affected by SCPs by default.
That SCPs can be attached to the root, OUs, or individual accounts.
That SCPs are inherited by child OUs and accounts.
The concept of allow lists vs deny lists.
Common Wrong Answers and Why
'SCPs grant permissions to users' – This is false. SCPs only set boundaries. Permissions are granted by IAM policies. Candidates confuse SCPs with IAM because both are JSON policies. The trap: an SCP that allows all actions does not actually give users access; they still need IAM permissions.
'SCPs apply to the management account by default' – This is false. The management account is exempt from SCPs unless you explicitly attach them. Candidates assume all accounts are treated equally, but the management account is special.
'You can apply SCPs with consolidated billing only' – False. SCPs require all features to be enabled. Consolidated billing alone does not support SCPs.
'SCPs can be used to block the root user of a member account' – True! This is a key point. SCPs affect even the root user of member accounts, which is different from IAM (which cannot restrict the root user). Candidates often think the root user is always unrestricted, but SCPs change that.
Specific Terms and Values on the Exam
'Management account' (not master account – AWS changed the term).
'Organizational unit (OU)'.
'Service control policy (SCP)'.
'FullAWSAccess' – the default SCP that allows all actions.
'Root' – the top-level container.
'Consolidated billing' vs 'All features'.
Tricky Distinctions
SCP vs IAM: SCPs are account-level boundaries; IAM is user/role-level. Both must allow an action for it to succeed.
SCP vs AWS Config: Config evaluates resource configurations, not permissions. SCPs control what actions are allowed.
SCP vs IAM Permission Boundaries: Permission boundaries are for individual IAM roles, SCPs are for entire accounts.
Decision Rule for Multiple Choice
When the question involves 'central control over multiple accounts' or 'enforcing security policies across all accounts', the answer is likely AWS Organizations with SCPs. If the question mentions 'billing consolidation', think Organizations. If it mentions 'setting maximum permissions for an account', think SCPs. Eliminate options that mention IAM policies alone if the scope is multiple accounts.
AWS Organizations is a free service that centrally manages multiple AWS accounts, enabling consolidated billing and policy enforcement.
Service Control Policies (SCPs) set permission boundaries for accounts; they do not grant permissions.
SCPs affect all principals in a member account, including the root user, but not the management account by default.
To use SCPs, you must enable 'All features' in AWS Organizations.
SCPs are inherited from the root down through OUs to accounts; multiple SCPs can be attached, and the effective permissions are the intersection.
The default 'FullAWSAccess' SCP allows all actions; you attach deny policies to restrict.
AWS Organizations supports up to 1,000 SCPs and 1,000 OUs per organization.
Common exam traps: confusing SCPs with IAM policies, thinking SCPs grant permissions, or assuming the management account is restricted by SCPs.
These come up on the exam all the time. Here's how to tell them apart.
Service Control Policies (SCPs)
Applies to all principals in an account (including root user of member accounts)
Sets a permission boundary at the account level
Does not grant permissions; only allows or denies actions
Attached to the root, OUs, or accounts in AWS Organizations
Cannot be used to grant access; only to restrict
IAM Policies
Applies to specific IAM users, groups, or roles
Grants or denies specific permissions to a principal
Can grant permissions (Allow) or deny them (Deny)
Attached to IAM users, groups, or roles directly
Can be used to grant access to resources
AWS Organizations (All Features)
Enables SCPs, automated account creation, and API-based management
Allows you to apply permission guardrails across accounts
Supports OUs and hierarchical policy inheritance
Recommended for production environments with security requirements
Free to use, but requires careful management
AWS Organizations (Consolidated Billing Only)
Only provides consolidated billing and cost management
No SCPs or permission boundaries
No OUs or policy inheritance
Suitable for simple billing consolidation without security needs
Cannot be upgraded to All Features later without creating a new organization
Mistake
SCPs grant permissions to users and roles in an account.
Correct
SCPs do not grant permissions; they define a maximum permission boundary. Permissions are granted by IAM policies attached to IAM users, groups, or roles. An action is allowed only if both the SCP and the IAM policy allow it.
Mistake
The management account is subject to SCPs by default.
Correct
The management account is not affected by SCPs unless you explicitly attach them. This is because the management account needs full control to manage the organization. AWS recommends not attaching SCPs to the management account.
Mistake
SCPs can be used with consolidated billing only.
Correct
SCPs require the 'All features' mode to be enabled. Consolidated billing alone does not support SCPs. You must enable all features to use SCPs, automated account creation, and other advanced features.
Mistake
SCPs cannot restrict the root user of a member account.
Correct
SCPs affect all principals in a member account, including the root user. This is a key difference from IAM, which cannot restrict the root user. SCPs can deny actions to the root user of a member account.
Mistake
You can attach only one SCP to an OU or account.
Correct
You can attach multiple SCPs to a target. The effective permissions are the intersection of all attached SCPs. If any SCP denies an action, it is denied. AWS attaches a default 'FullAWSAccess' SCP that allows all actions, and you add deny policies on top.
An SCP is a policy attached to an AWS account (via Organizations) that defines the maximum permissions for all principals in that account. It does not grant permissions; it only allows or denies actions. An IAM policy is attached to a specific user, group, or role and grants or denies permissions to that principal. For an action to be allowed, both the SCP and the IAM policy must allow it. The SCP acts as a guardrail, while IAM policies provide granular access control. On the exam, remember that SCPs are account-level boundaries, while IAM policies are principal-level.
No. SCPs affect all principals in a member account, including the root user. This is a key difference from IAM, which cannot restrict the root user. If an SCP denies an action, even the root user of a member account cannot perform it. However, the root user of the management account is not affected by SCPs by default. This allows the management account to administer the organization without being blocked.
Yes, but it is not recommended. By default, the management account is not subject to SCPs. You can explicitly attach SCPs to the management account, but doing so could lock out administrators. AWS advises against it because the management account needs full control to manage the organization. If you must apply SCPs to the management account, ensure you have a break-glass procedure (e.g., contacting AWS Support).
The effective permissions are the intersection of all attached SCPs. If any SCP denies an action, that action is denied. For example, if you attach an SCP that allows only EC2 and another that denies EC2, the deny wins. AWS always attaches a default 'FullAWSAccess' SCP that allows all actions. Adding deny policies creates restrictions. To allow only specific actions, you must detach 'FullAWSAccess' and attach a custom allow list policy, but this is risky because it blocks all actions not explicitly allowed.
No. AWS Organizations is a free service. There is no charge for creating an organization, OUs, or attaching SCPs. You only pay for the AWS services used in each member account (e.g., EC2, S3). Consolidated billing can help you save money by aggregating usage across accounts for volume discounts.
Yes, you can use SCPs with conditions to require specific tags on resources. For example, you can deny `ec2:RunInstances` unless the request includes a tag `CostCenter`. However, SCPs are limited to conditions available in the IAM policy language. For more advanced compliance enforcement, consider using AWS Config rules or AWS Service Catalog.
AWS Organizations is the foundational service for managing multiple accounts. AWS Control Tower is a higher-level service that automates the setup of a multi-account environment based on AWS best practices. Control Tower uses Organizations to create accounts and apply SCPs, but it also provides a dashboard, guardrails (which are pre-built SCPs and AWS Config rules), and account factory. On the exam, know that Control Tower extends Organizations with automated governance.
You've just covered AWS Organizations and SCPs — now see how well it sticks with free CLF-C02 practice questions. Full explanations included, no account needed.
Done with this chapter?