The SCP denies PutObject without the encryption header, but the command did not specify the header. However, SCPs do not affect the root user? No, root user is not used here. The developer used an IAM role.
SCPs apply to all IAM principals. The issue might be that the SCP uses a condition key that is not evaluated properly? Another common issue: SCPs cannot deny actions that are performed by the AWS service itself? No. The most likely reason is that the SCP was not applied to the production account because it was attached to the root OU, but the production account might be in a different OU that does not inherit the SCP? Or the SCP might have been disabled? Or the developer might be using an IAM role that has a service-linked role? Actually, a known limitation: SCPs do not affect the management account.
If the production account is the management account, SCPs do not apply. That is a classic gotcha. The question says "multi-account AWS environment using AWS Organizations" but does not specify that the production account is the management account.
But it's plausible. Another possibility: The SCP denies s3:PutObject without the header, but the CLI command might automatically add the header if the bucket has default encryption? No, bucket does not have default encryption. The SCP should deny.
So the most likely cause is that the production account is the management account of the organization, and SCPs do not apply to the management account.