Service Control Policies (SCPs) are a critical feature of AWS Organizations that allow you to centrally control the maximum available permissions for all accounts in your organization. This chapter covers how SCPs work, their relationship with IAM, and their role in enforcing security boundaries. On the SAA-C03 exam, SCPs appear in approximately 10-15% of questions related to Secure Architectures (Domain 1, Objective 1.4), often in scenarios requiring multi-account governance or delegation of administration. Understanding SCPs is essential for designing secure, scalable AWS environments that comply with regulatory requirements.
Jump to a section
Think of AWS Organizations as a corporate holding company with multiple subsidiaries (accounts). The holding company's board sets a spending policy that applies to all subsidiaries: no subsidiary may purchase real estate, enter partnerships, or hire executives without board approval. This policy is enforced by the corporate financial system (SCPs). Each subsidiary's local management (IAM) can further define who within the subsidiary can use petty cash or order office supplies, but they cannot override the board's restrictions. If a subsidiary manager tries to buy a building, the financial system rejects it automatically, even if the local manager has full signing authority. In AWS terms, the management account (payer) creates SCPs that define maximum allowed actions for all member accounts. IAM policies within an account can grant permissions, but SCPs set an upper boundary — if an action is denied by an SCP, no IAM policy can allow it. The SCPs are inherited by all accounts in the organization, including the management account itself unless explicitly excluded. Just as the board's policy is a hard limit, SCPs are a guardrail that cannot be bypassed by account administrators.
What Are Service Control Policies (SCPs)?
Service Control Policies (SCPs) are a type of policy that you can use to manage permissions in your AWS Organization. SCPs offer central control over the maximum available permissions for all accounts in your organization. They are not a substitute for IAM policies; rather, they are a boundary that defines what actions an account's IAM users, roles, and services can perform.
SCPs are applied at the organization, organizational unit (OU), or account level. They are inherited by all child entities. For example, if you attach an SCP to an OU, all accounts in that OU are affected. You can also attach SCPs directly to individual accounts.
How SCPs Work Internally
SCPs operate by specifying a list of AWS services, actions, and conditions that are allowed or denied. The effective permissions for an IAM principal (user or role) in a member account are the intersection of the SCPs that apply to the account and the IAM policies that apply to the principal. In other words, an action is permitted only if it is allowed by BOTH the SCP AND the IAM policy. If either denies it, the action is denied.
SCPs use a similar syntax to IAM policies but with some key differences. They do not grant permissions; they only define a policy boundary. There are two types of SCPs: aws:SourceOrgID and aws:SourceOrgPath conditions can be used in SCPs to restrict access based on the organization.
Key Components and Defaults
FullAWSAccess: By default, when you enable AWS Organizations, a default SCP called FullAWSAccess is attached to the root and all OUs and accounts. This allows all actions. To restrict permissions, you must attach a deny SCP or modify the default.
Deny Effect: SCPs can have an explicit deny effect. If an action is denied by any SCP, it is blocked, even if other SCPs allow it.
Maximum SCP Size: Each SCP can be up to 5,120 characters in length.
Number of SCPs: You can attach up to 5 SCPs to an account, OU, or root.
Inheritance: SCPs are inherited from the root down to OUs and accounts. The effective SCP is the union of all SCPs attached to the account and its ancestors.
Evaluation Logic: SCPs are evaluated before IAM policies. If an SCP denies an action, the action is blocked regardless of IAM policies.
Configuration and Verification
To create and attach SCPs, you use the AWS Organizations console, AWS CLI, or SDK. Here is an example of an SCP that denies the ability to delete CloudTrail trails:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "cloudtrail:DeleteTrail",
"Resource": "*"
}
]
}To attach this SCP to an OU using the CLI:
aws organizations attach-policy --policy-id p-examplepolicyid --target-id ou-exampleouidTo verify the effective permissions, you can use the IAM policy simulator or the organizations list-policies-for-target command:
aws organizations list-policies-for-target --target-id ou-exampleouid --filter SERVICE_CONTROL_POLICYInteraction with IAM and Resource-Based Policies
SCPs do not affect resource-based policies (like S3 bucket policies) directly. However, they can restrict the actions that a principal can perform, which indirectly affects what they can do through resource-based policies. For example, if an SCP denies s3:PutObject, even if a bucket policy allows it, the principal cannot upload objects because the SCP overrides.
SCPs also do not affect the management account by default. The management account is exempt from SCPs unless you explicitly enable them by attaching an SCP to the root. This is a common exam trap: SCPs apply to member accounts, not the management account, unless configured otherwise.
Best Practices
Start with a deny list approach: attach SCPs that deny specific high-risk actions (e.g., deleting CloudTrail logs, disabling CloudWatch, modifying IAM roles).
Use SCPs to enforce compliance: for example, require that all EC2 instances are launched in a specific region.
Use SCPs to delegate administration: allow certain accounts to manage IAM but restrict them from creating certain types of roles.
Test SCPs using the IAM policy simulator before applying them to production accounts.
Common Exam Scenarios
Preventing Account Exit: Use SCPs to deny organizations:LeaveOrganization to prevent accounts from leaving the organization.
Enforcing Encryption: Use SCPs to deny actions that create resources without encryption, e.g., ec2:RunInstances without specifying a KMS key.
Restricting Regions: Use SCPs with conditions like aws:RequestedRegion to limit actions to specific regions.
SCPs vs. IAM Permissions Boundaries
Both SCPs and IAM permissions boundaries define the maximum permissions for a principal, but they operate at different levels. SCPs apply to all principals in an account, while permissions boundaries apply to a specific IAM user or role. They can be used together: the effective permissions are the intersection of the SCP, the permissions boundary, and the IAM policy.
Troubleshooting
If an action is unexpectedly denied, check the following:
Is the action denied by an SCP attached to the account or its OU? Use the policy simulator with the SCP context.
Is the action denied by an IAM policy? Check the principal's IAM policies.
Is the management account affected? Remember SCPs do not apply to the management account unless explicitly attached to the root.
Summary
SCPs are a powerful tool for enforcing security guardrails across multiple accounts. They are not a replacement for IAM but a complement. On the exam, remember that SCPs set a maximum boundary, they are inherited, and they do not apply to the management account by default. Master the evaluation order: SCPs -> IAM permissions boundaries -> IAM policies -> Resource-based policies.
Enable AWS Organizations
First, you must create or join an AWS Organization. The management account creates the organization and invites other accounts to join. During setup, you enable all features, which includes SCPs. If you only have consolidated billing features, SCPs are not available. Ensure that your organization is set to 'All features' mode. This is a prerequisite for using SCPs.
Create a Service Control Policy
In the management account, navigate to the AWS Organizations console or use the CLI to create an SCP. Define a policy document in JSON format that specifies actions to allow or deny. For example, you can create a policy that denies the ability to delete CloudTrail trails. The policy can include conditions like `aws:RequestedRegion` to restrict actions to specific regions. Once created, the SCP is stored in the organization and can be attached to any target.
Attach SCP to an OU or Account
After creating the SCP, you attach it to the root, an OU, or a specific account. When attached to an OU, all accounts within that OU inherit the policy. You can attach up to 5 SCPs per target. The effective SCP is the union of all attached SCPs, meaning that if any SCP denies an action, it is denied. The order of attachment does not matter; all SCPs are evaluated together.
Test Effective Permissions
Before enforcing the SCP, use the IAM policy simulator to test the effective permissions for a principal in the target account. Include the SCP in the simulation by specifying the account's SCPs. This helps identify unintended denials. You can also use the `organizations list-policies-for-target` command to review which SCPs apply. After testing, you can safely apply the SCP in production.
Monitor and Audit SCP Changes
Enable AWS CloudTrail to log all API calls related to AWS Organizations, including SCP creation, attachment, and detachment. Use AWS Config rules to monitor for changes to SCPs. Set up alerts for any modifications to ensure compliance. Regularly review the SCPs attached to each account to ensure they remain aligned with security policies. Misconfigurations can lead to unintended access or lockouts.
Enterprise Scenario 1: Financial Services Compliance
A large bank uses AWS Organizations to manage over 200 accounts across development, test, and production environments. The compliance team requires that no account can disable CloudTrail logging or delete logs. They create an SCP that denies cloudtrail:DeleteTrail, cloudtrail:StopLogging, and cloudtrail:UpdateTrail for all accounts except the management account. This SCP is attached to the root, ensuring it applies to all accounts. Additionally, they create an SCP that denies ec2:RunInstances unless the instance is launched with a specific KMS key for encryption. This ensures all EC2 volumes are encrypted at rest. The bank uses AWS Config to monitor for non-compliant resources and remediates automatically using Lambda functions. One challenge they faced was that the SCPs also affected the management account when attached to the root, causing some administrative tasks to fail. They resolved this by detaching the SCP from the root and attaching it only to OUs containing member accounts.
Enterprise Scenario 2: Multi-Tenant SaaS Provider
A SaaS company offers a platform where each customer gets a separate AWS account for isolation. They use AWS Organizations to manage hundreds of customer accounts. To prevent customers from modifying their own billing or leaving the organization, they attach an SCP that denies organizations:LeaveOrganization and aws-portal:ModifyAccount to all accounts. They also restrict the regions where customers can deploy resources to US East (N. Virginia) and US West (Oregon) using a condition in the SCP: "Condition": { "StringEquals": { "aws:RequestedRegion": ["us-east-1", "us-west-2"] } }. This ensures data residency compliance. However, they discovered that some customers needed to use services not available in those regions, such as AWS GovCloud. They created a separate OU for those customers with a more permissive SCP. The company uses AWS CloudFormation StackSets to deploy baseline IAM roles and resources across all accounts, but SCPs prevent customers from deleting these resources. A common misconfiguration was attaching SCPs that accidentally blocked essential services like AWS CloudFormation itself, causing stack operations to fail. They now maintain a whitelist of allowed services in the SCP to avoid such issues.
Performance and Scale Considerations
SCPs are evaluated at the time of API call and add minimal latency (typically <10ms). However, with hundreds of accounts and complex policies, the evaluation can become slower. It is best practice to keep SCPs concise and avoid overly complex conditions. Also, note that SCPs are eventually consistent; changes may take a few seconds to propagate across all accounts. During this window, there is a risk of temporary policy mismatch. To mitigate, apply changes during maintenance windows and use the organizations describe-policy command to verify propagation.
What SAA-C03 Tests on SCPs
The SAA-C03 exam focuses on Objective 1.4: "Define a multi-account strategy for an organization." Within this, SCPs are tested in the context of security guardrails, delegation of administration, and compliance enforcement. Key areas include:
Understanding that SCPs set maximum permissions and do not grant permissions.
Knowing that SCPs apply to all IAM principals in an account (users, roles, and services) but do not affect the management account by default.
Recognizing that SCPs are inherited from the root to OUs to accounts.
Being able to identify when to use SCPs vs. IAM permissions boundaries vs. IAM policies.
Common Wrong Answers and Why
"SCPs grant permissions to users." This is false. SCPs only set a boundary; they never grant permissions. Candidates confuse SCPs with IAM policies.
"SCPs apply to the management account by default." This is a trap. SCPs do not apply to the management account unless explicitly attached to the root. Many candidates assume the management account is subject to SCPs because it is part of the organization.
"SCPs can be used to allow actions that IAM denies." No. SCPs cannot override an IAM deny. The effective permission is the intersection of all policies; a deny in any policy results in denial.
"SCPs are evaluated after IAM policies." Actually, SCPs are evaluated first. If an SCP denies an action, the action is blocked before IAM policies are even considered.
Specific Numbers and Terms
Default SCP: FullAWSAccess
Maximum SCP size: 5,120 characters
Maximum SCPs per target: 5
SCPs are JSON documents with Version, Statement, Effect, Action, Resource, and optional Condition.
Use aws:RequestedRegion condition to restrict regions.
Edge Cases and Exceptions
Management Account: SCPs do not apply to the management account unless attached to the root. The management account can still be affected if an SCP is attached to the root, but this is not the default.
Resource-Based Policies: SCPs can indirectly affect access through resource-based policies. For example, if an SCP denies s3:PutObject, a user cannot upload to S3 even if the bucket policy allows it.
Service-Linked Roles: Some AWS services create service-linked roles that are not affected by SCPs? Actually, service-linked roles are subject to SCPs. However, some services may have specific exceptions. The exam may test that SCPs cannot block AWS services from performing necessary actions for their operation (e.g., AWS Config recording). But generally, SCPs apply to all IAM roles.
Tag-Based Conditions: SCPs can use tag-based conditions to allow or deny actions based on resource tags. This is a common exam scenario for enforcing tagging policies.
How to Eliminate Wrong Answers
When faced with an SCP question, first determine if the scenario involves multiple accounts. If the question asks about controlling permissions across accounts, SCPs are likely the answer. If it's about a single account, consider IAM permissions boundaries instead. Look for keywords like "organization," "OU," "member account," "guardrail," or "maximum permissions." If the answer choice says SCPs grant permissions, eliminate it immediately. If it says SCPs apply to the management account without qualification, eliminate it unless the scenario explicitly attaches to the root. Remember: SCPs are evaluated first, they are inherited, and they do not grant permissions.
SCPs set maximum permissions for all accounts in an organization; they never grant permissions.
SCPs do not apply to the management account unless explicitly attached to the root.
SCPs are inherited from the root to OUs to accounts.
Up to 5 SCPs can be attached to a single target (root, OU, or account).
Each SCP can be up to 5,120 characters.
SCPs are evaluated before IAM policies; a deny in an SCP blocks the action regardless of IAM allow.
Use `aws:RequestedRegion` condition in SCPs to restrict actions to specific regions.
SCPs can be used to prevent accounts from leaving the organization (deny `organizations:LeaveOrganization`).
These come up on the exam all the time. Here's how to tell them apart.
Service Control Policies (SCPs)
Apply to all principals in an account (or OU/root).
Set a maximum permission boundary for the entire account.
Managed at the organization level by the management account.
Cannot be overridden by account administrators.
Evaluated first before IAM policies.
IAM Permissions Boundaries
Apply to a specific IAM user or role.
Set a maximum permission boundary for that principal only.
Managed within the account by IAM administrators.
Can be overridden by account administrators if they have permissions to modify boundaries.
Evaluated after SCPs but before IAM policies.
Mistake
SCPs grant permissions to users and roles in an account.
Correct
SCPs never grant permissions. They only define a boundary of maximum allowed actions. Actual permissions come from IAM policies attached to users/roles. An action is allowed only if both the SCP and IAM policy allow it.
Mistake
SCPs apply to the management account by default.
Correct
By default, SCPs do not affect the management account. They apply only to member accounts. To apply SCPs to the management account, you must attach an SCP to the root of the organization.
Mistake
SCPs can override an explicit deny in an IAM policy.
Correct
No. An explicit deny in any policy (SCP, IAM, permissions boundary) results in denial. The effective permission is the intersection of all policies. A deny in SCP or IAM blocks the action.
Mistake
SCPs are evaluated after IAM policies.
Correct
SCPs are evaluated first. AWS evaluates SCPs before IAM policies. If an SCP denies an action, the action is blocked immediately, and IAM policies are not evaluated.
Mistake
SCPs can be used to allow actions that are denied by IAM permissions boundaries.
Correct
SCPs cannot override a deny from a permissions boundary. The effective permissions are the intersection of SCP, permissions boundary, and IAM policies. A deny in any of these results in denial.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
By default, no. SCPs apply only to member accounts. However, if you attach an SCP to the root of the organization, it will affect the management account as well. This is a common exam trap: remember that the management account is not subject to SCPs unless explicitly configured.
No. SCPs only define a boundary of allowed actions. They never grant permissions. Actual permissions come from IAM policies. An action is allowed only if it is permitted by both the SCP and the IAM policy.
SCPs apply to all principals in an account (or OU) and are managed at the organization level. IAM permissions boundaries apply to a specific user or role and are managed within the account. Both set maximum permissions, but SCPs are broader and cannot be overridden by account admins.
Use an SCP with a condition on `aws:RequestedRegion`. For example: `"Condition": { "StringEquals": { "aws:RequestedRegion": ["us-east-1", "eu-west-1"] } }`. This denies any action that specifies a region outside the allowed list.
Yes, SCPs apply to all IAM roles, including service-linked roles. However, some AWS services require certain actions to function; blocking them may break the service. The exam may test that you should not block essential actions for services like AWS Config or CloudTrail.
The effective SCP is the union of all attached SCPs. If any SCP denies an action, it is denied. If multiple SCPs allow an action, it is allowed only if no SCP denies it. The order of attachment does not matter.
Use the IAM policy simulator. You can simulate the SCP by selecting the account and specifying the SCPs. This shows the effective permissions for a principal. Additionally, you can use the `organizations list-policies-for-target` command to review attached SCPs.
You've just covered Service Control Policies and AWS Organizations — now see how well it sticks with free SAA-C03 practice questions. Full explanations included, no account needed.
Done with this chapter?