Skip to main content

Overview

AWS Service Control Policies enforce guardrails at the AWS account or organizational unit level. They act as permission boundaries in the cloud control plane, preventing actions regardless of IAM permissions.

Capabilities

  • Organization-wide enforcement across all accounts
  • Allow-list and deny-list strategies that define permission boundaries
  • Condition-based controls (regions, services, encryption requirements)
  • Applies to all principals in target accounts (except the management account and service-linked roles)

Limitations

  • Requires an AWS Organization with all features enabled
  • Only applicable to AWS cloud environments — check out Azure Policy for Azure environments
  • Cannot grant permissions, only restrict them

Generated Format

  • Language: JSON
  • Structure: IAM policy documents with Effect, Action, Resource, and Condition fields
  • Execution: Applied via AWS Organizations console or API

Example Guardrail

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyUnencryptedS3PutObject",
      "Effect": "Deny",
      "Action": "s3:PutObject",
      "Resource": "*",
      "Condition": {
        "StringNotEquals": {
          "s3:x-amz-server-side-encryption": "aws:kms"
        }
      }
    }
  ]
}
Learn more at AWS SCP documentation.