What is Service Control Policy (SCP)?
A Service Control Policy is an AWS Organizations policy that sets the maximum available permissions for the accounts it is applied to.
SCPs operate at the organization level, above individual IAM policies. Like a permissions boundary, an SCP does not grant access — it defines a ceiling. An action is only allowed in a member account if the SCP permits it and the IAM policies in that account also permit it.
SCPs are the right tool for org-wide guardrails: denying use of certain regions, blocking the disabling of CloudTrail, or preventing changes to specific roles. They apply to everything in the account, including the root user, which makes them stronger than account-level controls.
Common mistake
Relying on SCPs alone for least privilege. An SCP only caps the maximum; the actual IAM policies inside the account still need to be scoped, because an over-broad policy under a permissive SCP is still over-broad.
Related terms
Analyze a real policy free
Shieldly's AI-Powered analyzer explains why an IAM policy is risky and returns the fix in seconds. No signup, no AWS credentials. Also ships as CLI, VS Code extension, GitHub Action, and CDK Guard.
Amazon Web Services (AWS) is a trademark of Amazon.com, Inc. Shieldly is not affiliated with, endorsed by, or sponsored by Amazon Web Services.