Service Control Policies (SCP) vs IAM Policies


Service Control Policies (SCP) IAM Policies SCPs are mainly used along with AWS Organizations organizational units (OUs). SCPs do not replace IAM Policies such that they do not provide actual permissions. To perform an action, you would still need to grant appropriate IAM Policy permissions. Even if a Principal is allowed to perform a certain action (granted through IAM Policies), an attached SCP will override that capability if it enforces a Deny on that action. SCP takes precedence over IAM Policies. SCPs can be applied to the root of an organization or to individual accounts in an OU. When you [...]