-
Hello ch34,
Thank you for your question regarding Service Control Policies (SCPs) in AWS Organizations.
To clarify, SCPs define the maximum set of permissions an AWS account can have, but they do not grant permissions by themselves. Instead, they act as a boundary that IAM policies must stay within. You’re correct in stating that explicit deny statements in SCPs are consistently enforced and effectively inherited — they apply across all levels and cannot be overridden. As for allow statements, it’s important to note that they are not “inherited” in the same sense as IAM policies. However, SCPs attached at higher levels (such as the root or an Organizational Unit) still apply to all accounts beneath them, unless overridden or restricted by another SCP. This is why the AWS Management Console may show an SCP like FullAWSAccess as “inherited.” It simply means that the account is subject to that SCP by its position in the organizational hierarchy, not that the SCP is automatically copied or re-attached at each level.
So, while you don’t need to attach an allow SCP like FullAWSAccess at every level manually, all SCPs attached at the root, OU, or account level are evaluated together to determine the effective permission boundary. As long as there’s no deny in place and the IAM policies permit the action, the allow SCP will still be effective.
I hope this clears up the confusion, and I appreciate your thoughtful question. Please feel free to reach out if you have further concerns or want to discuss this in more detail.
Best regards,
Nikee @ Tutorials Dojo
