Ends in
00
days
00
hrs
00
mins
00
secs
SHOP NOW

🚀 $4.99 Claude Certified Architect Foundations CCA-F Practice Exams

Find answers, ask questions, and connect with our
community around the world.

Home Forums AWS AWS Certified Solutions Architect Professional Fundamental Error in Question on SCP Allow Inheritance Reply To: Fundamental Error in Question on SCP Allow Inheritance

  • JR-TutorialsDojo

    Administrator
    April 30, 2026 at 11:11 pm

    Hello PeterMescher and Jayid,

    Thanks for sharing your thoughts on this item.

    In AWS Organizations, SCPs act as permission guardrails, not permission grants. While it’s true that for an action to be allowed, there must be an explicit Allow at every level, this requirement applies within the SCP hierarchy itself, not as a need to manually attach SCPs to each account.

    When an SCP is attached to an OU, it is automatically inherited by all member accounts. There is no requirement to reattach the same SCP at the account level for it to take effect.

    https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_inheritance_mgmt.html

    Also, the statement that “only deny statements are inherited” is incorrect. Both Allow and Deny statements are inherited, but:

    • Deny blocks actions explicitly
    • Allow defines the maximum possible permissions (still requiring IAM permissions)

    In this scenario, the SCP already allows S3:* and EC2:* at the OU level. Therefore, the SCP is not restricting the action. The failure must come from the IAM side, where no explicit permission was granted.

    Let me know if this helps.

    Regards,
    JR @ Tutorials Dojo

Skip to content