Service Control Policies (SCPs)

Complete the full lesson to earn 25 points

Work through each section, then tap “Mark as Complete” on the last one.

Section 1 of 12

✦ Skip the page breaks and see fewer ads — read each lesson on a single page with Pro

Mastering AWS Service Control Policies (SCPs)

Introduction: The Foundation of Multi-Account Governance

In the early days of cloud adoption, many organizations started with a single AWS account. This approach was simple to manage, but as organizations scaled and their needs became more complex, the single-account model quickly became a bottleneck. Security risks were concentrated, cost allocation was opaque, and innovation was stifled by the inability to isolate environments. Today, the industry standard is to use a multi-account strategy, often orchestrated through AWS Organizations. However, managing dozens or even hundreds of accounts introduces a new challenge: how do you ensure that every account adheres to your organization's security and compliance standards without manually auditing each one?

This is where Service Control Policies (SCPs) become essential. SCPs are a type of organization policy that you can use to manage permissions in your organization. Think of an SCP as a "guardrail" or a "boundary" that defines the maximum permissions for the accounts in your organization. Unlike IAM policies, which grant permissions to users and roles, SCPs do not grant any permissions themselves. Instead, they specify the maximum permissions that an account administrator can delegate to the users and roles within that account. If an action is not allowed by an SCP, it doesn't matter if an IAM policy explicitly grants it—the action will be denied.

Understanding SCPs is critical for any cloud engineer, security architect, or platform administrator. Without them, you are relying on the assumption that every local account administrator will perfectly configure their own IAM policies. In a large-scale environment, this is a dangerous assumption. By mastering SCPs, you gain the ability to enforce "deny-by-default" postures, restrict sensitive services to specific regions, and prevent the accidental deletion of critical infrastructure, all from a centralized location.

Section 1 of 12
PrevNext