Home › Forums › AWS › AWS Certified Solutions Architect Professional › If SCPs already deny, is an explicit IAM role in each account required to deny? › Reply To: If SCPs already deny, is an explicit IAM role in each account required to deny?
-
Was similarly confused by this Q and chose the two config and SCP answers. It specifically states the AWS accounts are all under the same org, so the deny ec2:Runinstances in the SCP at the Org level should be sufficient and not require the IAM policy