Service control policy (SCP) - An SCP specifies what permissions
can be delegated to users in affected member accounts. The scope of
influence for a policy depends on what you attach the policy to:
If you attach an SCP to a root, it affects all accounts in the
organization.
If you attach an SCP to an OU, it affects all accounts in that
OU and in any child OUs.
If you attach the policy directly to an account, then it affects
only that account.
SCPs are JSON policies that specify the maximum permissions for an
organization or organizational unit (OU). When you attach one SCP to
a higher level root or OU, and you also attach a different SCP to a
child OU or to an account, the child policy can further restrict
only the permissions that pass through the parent filter and are
available to the child. An SCP that is attached to a child cannot
grant a permission that is not already granted by the parent. For
example, imagine that the parent SCP allows permissions A, B, C, D,
and E. The child SCP allows C, D, E, F, and G. The result is that
the accounts affected by the child SCP are allowed to use only C, D,
and E. They cannot use A or B because they were filtered out by the
child OU. They also cannot use F and G because they were filtered
out by the parent OU. They cannot be granted back by the child SCP;
child SCPs can only filter the permissions they receive from the
parent SCP.
AWS Organizations attaches a default SCP named \"FullAWSAccess
to
every root, OU, and account. This default SCP allows all services
and actions, enabling any new child OU or account to inherit the
permissions of the parent root or OU. If you detach the default
policy, you must replace it with a policy that specifies the
permissions that you want to allow in that OU or account.
For more information about how Organizations policies permissions
work, see Using Service Control Policies
in the AWS Organizations User Guide.
This operation can be called only from the organization's master
account.