AWS Service Control Policies Study Notes

Posted on Leave a comment
AWS Cover
Reading Time: 2 minutes

In this post, I make available my notes about AWS Service Control Policies (SCPs) made from Adrian Cantrill’s course AWS Certified Solutions Architect – Associate (SAA-C02). The Q&A session below can be used to validate your knowledge our create Flashcards to study as I do. Since this is a piece of knowledge in construction there may be mistakes, drop a comment for any suggestions.


A Service Control Policy (SCP) are permission boundaries that can limit what an AWS account can do by allowing or denying access to services and resources. Although an SCP doesn’t grant any permissions, restricting the usage of services and resources can indirectly restrict what the Root User can do in that account.

An SCP takes the form of a JSON document that you can attach to an Organization Root, Organization Units (OUs), or Individual AWS Accounts. The way in which the policies affect an AWS account is different according to the type of account the SCP is attached to. When attached to an Organization Unit the OU is affected together with all accounts down to the three, when attached to an Individual AWS account only that account is affected and when attached to an Organization Root all accounts down the three are affected but the management account by itself not.

Because the Management Account is a special type of account not affected by SPC, is a good practice to avoid using that account to create AWS resources. There are two strategies to manage permissions with SCPs, using Allow List and using Deny List. Deny List means that AWS gives you full access to services and resources by applying a FullAWSAccess policy and you need explicitly deny access. This is the default strategy when created an organization and has lower admin overhead. Allow List means the FullAWSAccess does not exist restricting as consequence all services and resources. In this strategy, you need to explicitly allow access to services and resources, and despite the fact it is more secure it has more admin overhead.

See more content like this by accessing the Study Note Tag or AWS Category inside this blog.

An Identity Policy has no effect on services restricted by SCP. Therefore, only services and resources allowed in both policies are allowed.

What is Service Control Policy (SCP)?

Permission boundaries, that can limit what an AWS account can do by allowing or denying access to services and resources.

What means SCP?

Service Control Policy

What type of permissions does a Service Control Policy (SCP) grant?

SCP doesn't grant any permissions it only restricts the usage of services and resources.

How does a Service Control Policy (SCP) affect the Root User?

The Root user is indirectly affected and it can not perform actions on services and resources restrict by SCP.

What type of accounts a Service Control Policy (SCP) can be attached to?

Organization Root, Organization Units (OUs), or Individual AWS Accounts

How does Service Control Policy (SCP) affect OUs, Individual accounts, and Organization root?

- Organization Unit: Are affected together with all accounts down to the three.
- Individual accounts: Are affected alone.
- Organization Root: Affect accounts down the three but does not affect the Management Account.

Does Service Control Policy (SCP) affect Management Account?

No, a Management account is a special type of account not affected by SPC.

Can you use a Management Account to create resources?

Yes, however, it is not recommended because you can not restrict resources in Management Account using Service Control Policy (SCP).

What are the two strategies type to manage permissions using Service Control Policy (SCP)?

Deny list and Allow list.

How does the Service Control Policy (SCP) strategy type Deny List works?

You need explicitly deny access and AWS by default gives full access to services and resources by applying a SCP named FullAWSAccess.

How does the Service Control Policy (SCP) strategy type Allow List works?

You need explicitly allow access and the SCP FullAWSAccess does not exist to restrict services and resources.

What is the default Service Control Policy (SCP) strategy type?

Deny List

What is the administration difference between the Service Control Policy (SCP) strategy type Deny list and Allow list?

- Deny list: This is the default strategy when created an organization and has lower admin overhead.
- Allow list: This is more secure it has more admin overhead.

Can an Identity Policy use a service restricted by Service Control Policy (SCP)?

No, only services and resources allowed in both policies are allowed.

Leave a Reply

Your email address will not be published. Required fields are marked *