Find answers, ask questions, and connect with our
community around the world.

Home Forums AWS AWS Certified Solutions Architect Professional Fundamental Error in Question on SCP Allow Inheritance Reply To: Fundamental Error in Question on SCP Allow Inheritance

  • Jayid

    Member
    April 30, 2026 at 11:24 pm

    @JR, I’d kindly ask you to replicate this behavior. Let’s consider this example scenario.

    Root
    |
    |----- Sandbox --> Account A

    On Root, we have FullAWSAccess SCP attached

    On Sanudbox OU, we have FullAWSAccess SCP attached (Plus the one inherited from Root)

    On Account A, apply the following SCP and detach the FullAWSAccess SCP:

    {
        "Statement": [{
            "Sid": "Statement1",
            "Effect": "Allow",
            "Action": [
                "ec2:*"
            ],
            "Resource": "*"
        }]
    }

    Log into account A with a user that has AdministratorAccess managed policy attached and then try creating a bucket. Bucket fails to create with:

    User: arn:aws:sts::****:assumed-role/AWSReservedSSO_AWSAdministratorAccess_39b69685aec01e2d/*** is not authorized to perform: s3:CreateBucket on resource: "arn:aws:s3:::test-****" because no service control policy allows the s3:CreateBucket action

    • This reply was modified 1 month, 1 week ago by  Jayid.
Skip to content