# AWS Service Control Policies (SCPs)

## 📖 Introduction to AWS Service Control Policies (SCPs)

AWS Service Control Policies (SCPs) are a kind of Organizational policy that can be enabled. They limit the maximum IAM permissions within your organization. Like IAM policies, SCPs are JSON documents but attach to AWS accounts, OUs, or the organization root, rather than IAM identities.

***

## 🗒️ Understanding AWS Service Control Policies (SCPs) Features

By default, when you enable AWS SCPs for an AWS Organization, an SCP is automatically applied called `FullAWSAccess`which allows for all services and actions. Remember, AWS SCPs minimize allowed permissions rather than grant permissions. If this policy is removed and not replaced at any level of the organization, all OUs and accounts under that level will be blocked from taking any actions.

Some useful information about SCPs:

* The maximum size of a policy document is: 5120 characters
* The maximum amount of SCPs that can be deployed to a Root OU, OU, or Account respectively is 5

Since SCPs define the maximum permissions that an IAM user or role can have, they can be used to block actions. Here is an example showing an SCP blocking the `iam:CreateUser` action:

<figure><img src="https://2721275171-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F8yu8YbDfwd1VqEdUxGyA%2Fuploads%2FM4NoewJ5VdiBhymqD7Qt%2Fimage.png?alt=media&#x26;token=220d0656-40a8-4852-a33c-4b3fc5ca20d1" alt=""><figcaption><p>SCP blocking iam user creation</p></figcaption></figure>

An important thing to note is the error message is generic and does not provide any information about the SCP that is blocking the action. This can make troubleshooting difficult, especially in organizations with multiple SCPs and other policy types that could be having an impact. In some cases, this message shows up even when it's not an SCP blocking the action!

***

## 📚 Additional Resources

* [AWS Service Control Policy (SCP) Documentation](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html)

***

## 🏗️ Hands-on Exercises&#x20;

{% content-ref url="aws-service-control-policies-scps/lab-deploying-aws-service-control-policies-scps-via-terraform" %}
[lab-deploying-aws-service-control-policies-scps-via-terraform](https://www.techwithtyler.dev/academy/aws-security-cookbook-by-tyler/aws-service-control-policies-scps/lab-deploying-aws-service-control-policies-scps-via-terraform)
{% endcontent-ref %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.techwithtyler.dev/academy/aws-security-cookbook-by-tyler/aws-service-control-policies-scps.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.