SCPs: Organization Policies

It is recommended that you define policies at the Organization level and enforce them using Service Control Policies. These are IAM policies that limit permissions granted (Guardrails).

SCPs can be applied to the whole organization, to a specific organizational unit or to a specific account: SCPs

And SCPs will restrict the effective maximum permission: SCPs

Therefore they are ideal to set up Security Invariants (the things that you want to set up and never change, or at least not frequently): SCPs

Think about everything that you never want it to happen in your accounts and enforce it through SCPS.

SCP Examples:


AWS Organizations is a free service, therefore Service Control Policies are free to use.