What is Resource Control Policy (RCP)?
A Resource Control Policy is an AWS Organizations policy that sets the maximum available permissions for resource-based policies across accounts in the organization — the resource-side counterpart to a Service Control Policy.
SCPs cap what an identity (user or role) can be granted. RCPs cap what a resource-based policy can grant to anyone accessing that resource, including principals outside the account or organization entirely. That last part matters: an SCP only constrains principals inside the org, but a resource-based policy on an S3 bucket or KMS key can name a principal from any AWS account, so SCPs alone can't cap that exposure. RCPs close that gap by applying at the resource side regardless of who's asking.
RCPs apply org-wide the same way SCPs do, and they cover services incrementally as AWS adds RCP support to them — a new RCP-supported service is covered by the guardrail automatically without editing individual resource policies.
Common mistake
Assuming an SCP already covers cross-account resource exposure. It does not — SCPs only constrain principals inside your organization. A bucket policy granting access to an external AWS account is outside SCP reach but inside RCP reach.
Related terms
Analyze a real policy free
Shieldly's AI-Powered analyzer explains why an IAM policy is risky and returns the fix in seconds. No signup, no AWS credentials. Also ships as CLI, VS Code extension, GitHub Action, and CDK Guard.
Amazon Web Services (AWS) is a trademark of Amazon.com, Inc. Shieldly is not affiliated with, endorsed by, or sponsored by Amazon Web Services.