AWSGlossary

Service Control Policies (SCP): What It Is and When to Use It

Definition

Service Control Policies (SCPs) are a feature of AWS Organizations that offer central control over the maximum available permissions for all AWS Identity and Access Management (IAM) users and roles within an organization. They act as security guardrails, ensuring that accounts stay within the organization's access control guidelines by setting boundaries on what actions can be performed, rather than granting permissions themselves.

How It Works

SCPs are a type of organization policy that you can use to manage permissions in your organization. They are written in a JSON format similar to IAM policies and are attached to elements within an AWS Organization, such as the organization root, an Organizational Unit (OU), or an individual member account.

Key principles of SCP operation:

  • Inheritance: SCPs attached to the root or an OU are inherited by all OUs and accounts nested beneath them. An account's effective permissions are the intersection of all SCPs applied from the root down to the account itself.
  • Permissions Guardrail, Not a Grant: An SCP never grants permissions. For an action to be allowed, an IAM user or role must have an identity-based or resource-based policy that grants the permission, AND that permission must also be allowed by every applicable SCP.
  • Explicit Deny Overrides Allow: The policy evaluation logic is straightforward. If any SCP in the hierarchy explicitly denies an action, that action is blocked, even if an IAM policy or another SCP explicitly allows it. An explicit deny always takes precedence.
  • Scope: SCPs affect all IAM users and roles in member accounts, including the root user of that account. However, SCPs do not affect users or roles in the management account, nor do they apply to service-linked roles or actions taken by principals outside the organization (e.g., via a public Amazon S3 bucket policy).

By default, when you create an organization, a default SCP named FullAWSAccess is attached to the root, every OU, and every account. This policy allows all services and actions. To implement restrictions, you can either add "Deny" statements to this policy or replace it with more restrictive policies that use an "Allow" list strategy.

Key Features and Limits

  • Centralized Control: Manage permission boundaries for hundreds or thousands of accounts from a single location (the management account).
  • Broad Applicability: SCPs apply to all principals within a member account, including the root user, providing a powerful layer of protection.
  • Policy Strategies: You can implement a "deny list" strategy (denying specific unwanted actions) or a more restrictive "allow list" strategy (only allowing a specific set of actions).
  • Integration with AWS Organizations: SCPs are a core feature of AWS Organizations and are available when the organization is enabled for all features, not just consolidated billing.
  • Policy Size Limit: The maximum size of an SCP document is 10,240 characters.
  • Attachment Limit: You can attach a maximum of 10 SCPs to the organization root, an OU, or an individual account.

Common Use Cases

  1. Enforcing Regional Compliance: Restrict the creation of resources to specific AWS Regions to comply with data sovereignty requirements like GDPR.
  2. Preventing Disablement of Security Services: Deny actions that would disable or alter critical security services like AWS CloudTrail, AWS Config, or Amazon GuardDuty, ensuring continuous visibility and governance.
  3. Controlling Costs: Prevent users in development or sandbox accounts from launching expensive or non-standard instance types (e.g., high-end GPU instances) to avoid budget overruns.
  4. Securing the Root User: Apply a policy that denies all actions taken by the root user in member accounts, enforcing the best practice of using IAM roles for administrative tasks.
  5. Mandating Security Best Practices: Enforce requirements such as mandatory encryption for Amazon S3 buckets or Amazon EBS volumes at the time of creation, or prevent the creation of public S3 buckets.

Pricing Model

Service Control Policies are a feature of AWS Organizations and are offered at no additional charge. You are only billed for the AWS resources consumed by the users and roles within your member accounts, not for the use of Organizations or SCPs themselves.

Pros and Cons

Pros:

  • Scalable Governance: Provides a consistent and scalable way to enforce security and compliance guardrails across a multi-account environment.
  • Immutable Guardrails: SCPs cannot be overridden by IAM administrators within a member account, ensuring that central security policies are always enforced.
  • Comprehensive Protection: Affects all principals in a member account, including the root user, closing a potential security gap.
  • Reduces Risk: Helps prevent accidental or malicious actions that could lead to security breaches, data loss, or excessive costs.

Cons:

  • Complexity: Can become complex to manage and debug in large organizations with nested OUs and multiple policies. Thorough testing is critical to avoid inadvertently blocking legitimate access.
  • No Effect on Management Account: SCPs do not apply to the management account, which must be secured through other means.
  • Potential for Lockout: Misconfigured SCPs, especially those using a restrictive allow-list strategy, can lock users (including administrators) out of necessary services.
  • Does Not Grant Permissions: A common point of confusion is that SCPs only set boundaries; they do not grant permissions. You must still use IAM policies to grant access to users and roles.

Comparison with Alternatives

SCPs vs. AWS IAM Policies:

  • Scope: SCPs apply organization-wide (to OUs and member accounts), while IAM policies apply to specific users, groups, or roles within a single account.
  • Function: SCPs set maximum permission boundaries (guardrails) and never grant permissions. IAM policies explicitly grant permissions to principals.
  • Hierarchy: SCPs are higher in the evaluation hierarchy. An explicit deny in an SCP will always override an allow in an IAM policy.

SCPs vs. IAM Permissions Boundaries:

  • Attachment Target: SCPs are attached to the organization root, OUs, or accounts. Permissions Boundaries are attached to individual IAM users or roles within an account.
  • Use Case: SCPs are for broad, organization-wide governance (e.g., "No one in this OU can use this service"). Permissions Boundaries are for delegating administrative tasks within an account without allowing privilege escalation (e.g., "This developer can create IAM roles, but only roles that have these specific permissions").
  • Scale: SCPs are designed for enforcement at scale across many accounts automatically. Permissions Boundaries must be applied to each IAM principal individually.

Exam Relevance

Service Control Policies are a critical topic for several AWS certifications, particularly those focused on architecture, security, and advanced networking.

  • AWS Certified Solutions Architect - Associate (SAA-C03): Candidates need to understand how SCPs work within AWS Organizations to enforce governance and how they interact with IAM policies.
  • AWS Certified Solutions Architect - Professional (SAP-C02): Expect in-depth questions on designing multi-account strategies where SCPs are used to implement complex security and compliance requirements.
  • AWS Certified Security - Specialty (SCS-C03): This exam requires a deep understanding of SCPs, including policy syntax, evaluation logic, common use cases for creating security guardrails, and comparing them with other controls like IAM Permissions Boundaries.

Examinees should know that SCPs do not grant permissions, that they affect the member account's root user, and that an explicit deny in an SCP overrides any allow.

Frequently Asked Questions

Q: Can a Service Control Policy (SCP) grant permissions?

A: No, an SCP can never grant permissions. It only defines a guardrail or the maximum permissions available. An IAM user or role must still be granted permissions via an identity-based or resource-based IAM policy to perform any action.

Q: What happens if an IAM policy allows an action but an SCP denies it?

A: The action is denied. In the AWS policy evaluation logic, an explicit deny from any applicable policy, including an SCP, always overrides an allow statement from another policy. For an action to be permitted, it must be allowed by both the relevant IAM policies and all applicable SCPs.

Q: Do SCPs apply to the management account or the root user?

A: SCPs do not affect any users or roles in the organization's management account. However, they do apply to all users and roles in member accounts, including the root user of those member accounts.

This article reflects AWS features and pricing as of 2026. AWS services evolve rapidly — always verify against the official AWS documentation before making production decisions.

Published: 5/24/2026 / Updated: 5/24/2026

This article is for informational purposes only. AWS services, pricing, and features change frequently — always verify details against the official AWS documentation before making production decisions.

More in Security

Resource-Based vs Identity-Based Policies: How to Use Them

Understand AWS IAM identity-based vs resource-based policies. Learn what they are, how they differ, and when to use each for effective AWS security. See examples.

IAM Permissions Boundary: Control Max Permissions

An IAM Permissions Boundary sets the maximum permissions an IAM policy can grant. Learn how it prevents privilege escalation and when to use it.

IAM Access Analyzer: How It Works & When to Use It

IAM Access Analyzer formally verifies policies to identify and remediate unintended resource access. Learn how it monitors S3 buckets, IAM roles, and KMS keys for external sharing.

AWS CloudHSM: Secure Key Management in the Cloud

AWS CloudHSM offers dedicated HSMs for secure key generation and storage, meeting FIPS 140-2 Level 3 compliance. Learn how it works and when to use it.

AWS Certificate Manager (ACM): Simplify SSL/TLS Certificates

AWS Certificate Manager (ACM) simplifies SSL/TLS certificate management for your AWS apps. Automate provisioning, renewal, and deployment. Learn how it works.

View all Security terms →