Core concept

SCP is JSON policy at OU/account level. Restricts what IAM users/roles can do. Complements IAM (both must allow).

Advertisement

How it works

Deny unused regions. Prevent creating root user access keys. Block turning off CloudTrail. Common SCPs.

Advertisement

Trade-offs + gotchas

Every multi-account org (which is most enterprises). Foundation of AWS governance.