How do SCPs interact with IAM policies?

SCPs set the maximum permissions boundary for an account. An action must be allowed by both the SCP and the IAM policy for a principal to perform it. If an SCP denies an action, no IAM policy — not even AdministratorAccess — can override it. SCPs do not grant permissions; they only filter what is allowed. The effective permissions are the intersection of the SCP and the identity-based policies.

Do SCPs affect the management account?

No. SCPs never restrict the management (root) account of the organization. Even if you attach an SCP to the root OU, principals in the management account are not affected. This is by design so the management account can always perform administrative tasks. For this reason, you should minimize workloads in the management account and use it only for billing and organization management.

What is the size limit for an SCP?

Each SCP can be up to 5,120 characters, excluding whitespace. This is significantly smaller than IAM managed policies (6,144 characters). Because SCPs must cover entire organizational units, you may need multiple SCPs to express all your restrictions. You can attach up to five SCPs per OU or account, and you can use the builder to keep each policy within the size limit.

SCP Policy Builder

IAM & SecurityAWS

Build AWS Service Control Policy statements for Organizations.

SCP Policy Configuration

Statement 1

SID (optional)

Effect

Use NotAction (deny everything except listed actions)

Actions (comma-separated)

Resources (comma-separated)

Condition Operator

Condition Key

Condition Values (comma for multiple)

Generated SCP Policy

Output will appear here...

About This Tool

Service Control Policies (SCPs) are the guardrails of AWS Organizations, setting the maximum permissions boundary for every account in an organizational unit. Unlike IAM policies that grant access, SCPs restrict what actions member accounts can perform — even if those accounts have full administrator privileges. The SCP Policy Builder helps you construct deny and allow statements with the correct syntax, condition keys, and resource scoping so your organization-wide security boundaries work as intended without accidentally blocking critical services.

When to Use This Tool

•Creating deny-based SCPs that prevent member accounts from disabling CloudTrail, GuardDuty, or other security services
•Building region-restriction SCPs that limit resource creation to approved AWS regions for data sovereignty compliance
•Defining SCPs that block access to specific AWS services not approved for use in your organization

Frequently Asked Questions

How do SCPs interact with IAM policies?: SCPs set the maximum permissions boundary for an account. An action must be allowed by both the SCP and the IAM policy for a principal to perform it. If an SCP denies an action, no IAM policy — not even AdministratorAccess — can override it. SCPs do not grant permissions; they only filter what is allowed. The effective permissions are the intersection of the SCP and the identity-based policies.
Do SCPs affect the management account?: No. SCPs never restrict the management (root) account of the organization. Even if you attach an SCP to the root OU, principals in the management account are not affected. This is by design so the management account can always perform administrative tasks. For this reason, you should minimize workloads in the management account and use it only for billing and organization management.
What is the size limit for an SCP?: Each SCP can be up to 5,120 characters, excluding whitespace. This is significantly smaller than IAM managed policies (6,144 characters). Because SCPs must cover entire organizational units, you may need multiple SCPs to express all your restrictions. You can attach up to five SCPs per OU or account, and you can use the builder to keep each policy within the size limit.

Related Learning Guides

AWS Organizations & SCPs26 min read

Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.