How do SCPs interact with IAM policies?

SCPs set the maximum permissions boundary for an account. An action must be allowed by both the SCP and the IAM policy for a principal to perform it. If an SCP denies an action, no IAM policy — not even AdministratorAccess — can override it. SCPs do not grant permissions; they only filter what is allowed. The effective permissions are the intersection of the SCP and the identity-based policies.

Do SCPs affect the management account?

No. SCPs never restrict the management (root) account of the organization. Even if you attach an SCP to the root OU, principals in the management account are not affected. This is by design so the management account can always perform administrative tasks. For this reason, you should minimize workloads in the management account and use it only for billing and organization management.

What is the size limit for an SCP?

Each SCP can be up to 5,120 characters, excluding whitespace. This is significantly smaller than IAM managed policies (6,144 characters). Because SCPs must cover entire organizational units, you may need multiple SCPs to express all your restrictions. You can attach up to five SCPs per OU or account, and you can use the builder to keep each policy within the size limit.

SCP Policy Builder

IAM & SecurityAWS

Build AWS Service Control Policy statements for Organizations.

Last verified: May 2026

SCP Policy Configuration

Statement 1

SID (optional)

Effect

Use NotAction (deny everything except listed actions)

Actions (comma-separated)

Resources (comma-separated)

Condition Operator

Condition Key

Condition Values (comma for multiple)

Generated SCP Policy

Output will appear here...

See It in Action

Your security team is hardening the org after a finding that a junior dev disabled CloudTrail in a dev account. The builder generates an SCP denying `cloudtrail:StopLogging`, `cloudtrail:DeleteTrail`, `guardduty:Disable*`, `config:Stop*`, and similar. Tested in a sandbox OU first (no impact on legitimate workloads), then promoted to all OUs. Now no member account — even with full admin — can disable security services. Audit finding closed; the same incident becomes structurally impossible.

What This Tool Does

Service Control Policies (SCPs) are the guardrails of AWS Organizations, setting the maximum permissions boundary for every account in an organizational unit. Unlike IAM policies that grant access, SCPs restrict what actions member accounts can perform — even if those accounts have full administrator privileges. The SCP Policy Builder helps you construct deny and allow statements with the correct syntax, condition keys, and resource scoping so your organization-wide security boundaries work as intended without accidentally blocking critical services.

Technical Details

The builder constructs SCP JSON documents with Statement arrays containing Effect (Allow or Deny), Action (specific or wildcards), Resource (typically * for SCPs), and Condition blocks. Common templates: deny region-restricted, deny security service disable (CloudTrail/GuardDuty/Config), deny specific services, allow only approved services. Output is the SCP JSON ready to attach via aws organizations create-policy + attach-policy.

Common Use Cases

1Creating deny-based SCPs that prevent member accounts from disabling CloudTrail, GuardDuty, or other security services
2Building region-restriction SCPs that limit resource creation to approved AWS regions for data sovereignty compliance
3Defining SCPs that block access to specific AWS services not approved for use in your organization

Common Questions

How do SCPs interact with IAM policies?: SCPs set the maximum permissions boundary for an account. An action must be allowed by both the SCP and the IAM policy for a principal to perform it. If an SCP denies an action, no IAM policy — not even AdministratorAccess — can override it. SCPs do not grant permissions; they only filter what is allowed. The effective permissions are the intersection of the SCP and the identity-based policies.
Do SCPs affect the management account?: No. SCPs never restrict the management (root) account of the organization. Even if you attach an SCP to the root OU, principals in the management account are not affected. This is by design so the management account can always perform administrative tasks. For this reason, you should minimize workloads in the management account and use it only for billing and organization management.
What is the size limit for an SCP?: Each SCP can be up to 5,120 characters, excluding whitespace. This is significantly smaller than IAM managed policies (6,144 characters). Because SCPs must cover entire organizational units, you may need multiple SCPs to express all your restrictions. You can attach up to five SCPs per OU or account, and you can use the builder to keep each policy within the size limit.

Expert Tips

TIP

SCPs are deny-list, not allow-list. The default policy 'FullAWSAccess' is allow * on *, which is what enables everything. To restrict, you ADD deny statements. Newcomers often try to write SCPs as 'allow only these things' and break their entire org — that pattern requires removing FullAWSAccess and explicitly allowing every needed action, which is a maintenance nightmare.

TIP

Always test SCPs in a sandbox OU first. SCPs apply IMMEDIATELY across the OU on attach — there's no dry-run mode. A poorly-written SCP can lock everyone out of every account in the OU instantly. Test in an OU containing one disposable test account before promoting to production OUs.

TIP

Region-restriction SCPs need to allow global services (IAM, CloudFront, Route 53, Organizations). Without those exceptions, basic admin tasks fail silently. The builder includes a template that handles this correctly by default — hand-crafted policies often miss it and lock teams out of IAM.

Related Learning Guides

AWS Organizations & SCPs26 min read

Was this tool helpful?

Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.