An overview of AWS Service Control Policies (SCPs)
Last updated
Was this helpful?
AWS Service Control Policies (SCPs) are a kind of Organizational policy that can be enabled. They limit the maximum IAM permissions within your organization. Like IAM policies, SCPs are JSON documents but attach to AWS accounts, OUs, or the organization root, rather than IAM identities.
By default, when you enable AWS SCPs for an AWS Organization, an SCP is automatically applied called FullAWSAccesswhich allows for all services and actions. Remember, AWS SCPs minimize allowed permissions rather than grant permissions. If this policy is removed and not replaced at any level of the organization, all OUs and accounts under that level will be blocked from taking any actions.
Some useful information about SCPs:
The maximum size of a policy document is: 5120 characters
The maximum amount of SCPs that can be deployed to a Root OU, OU, or Account respectively is 5
Since SCPs define the maximum permissions that an IAM user or role can have, they can be used to block actions. Here is an example showing an SCP blocking the iam:CreateUser action:
An important thing to note is the error message is generic and does not provide any information about the SCP that is blocking the action. This can make troubleshooting difficult, especially in organizations with multiple SCPs and other policy types that could be having an impact. In some cases, this message shows up even when it's not an SCP blocking the action!
