You are currently viewing AWS Service Control Policy (SCP) With Examples

AWS Service Control Policy (SCP) With Examples

AWS Service Control Policy (SCP) With Examples

Hello Everyone

Welcome to CloudAffaire and this is Debjeet.

In the last blog post, we have discussed AWS Organization policy.

In this blog post, we will discuss AWS Service Control Policy (SCP) with examples. Service Control Policy (SCP) is similar to IAM permissions policies except that they don’t grant any permissions. Instead, SCPs specify the maximum permissions for an organization, organizational unit (OU), or account. When you attach an SCP to your organization root or an OU, the SCP limits permissions for entities in member accounts.

Elements Of Service Control Policy (SCP):

Service Control Policy (SCP) policy syntax is very much similar to IAM permission policy or any other resource-based policy and is written in JSON. Below are the elements of a service control policy.

  • Version: Specifies the language syntax rules to use for processing the policy.
  • Statement: Serves as the container for policy elements. You can have multiple statements in SCPs.
  • Statement ID (Sid): (Optional) Provides a friendly name for the statement.
  • Effect: Defines whether the SCP statement allows or denies access to the IAM users and roles in an account.
  • Action: Specifies AWS service and actions that the SCP allows or denies.
  • NotAction: Specifies AWS service and actions that are exempt from the SCP. Used instead of the Action element.
  • Resource: Specifies the AWS resources that the SCP applies to.
  • Condition: Specifies conditions for when the statement is in effect.

Example Service Control Policy:

The above example scp policy restrict anyone from creating any EC2 instance of any other type than “t2.micro”.

Next, we are going to discuss how to manage AWS organization scp policy using API.


AWS Organization created with multiple OU and member accounts. You can refer below blog post to create the organization. This blog is a continuation from below blog post.

How To Enable Service Control Policy (SCP) In AWS Organization Using AWS CLI

How To Create A New SCP Policy Using AWS CLI

How To Attach An SCP To An Organizational Unit Using AWS CLI

Now, if we try to create a new subnet in the accounts under “Foundation” OU, you will get an error.

Next, let us explain SCP policy inheritance with an example. This time we are going to create a new SCP to deny VPC creation and apply it to “Regulatory” OU.

Next, try to create internet gateway in an account inside Regulatory OU.

How To Update An SCP Policy Using AWS CLI

How To Detach An SCP Policy From An Organizational Unit Using AWS CLI

How To Delete An SCP Policy Using AWS CLI

Hope you have enjoyed this article. To know more about AWS organization, please refer below official documentation

Leave a Reply