Note: Every root, OU, and account must have at least one SCP
attached. If you want to replace the default FullAWSAccess
policy with
one that limits the permissions that can be delegated, then you must
attach the replacement policy before you can remove the default one.
This is the authorization strategy of
whitelisting.
If you instead attach a second SCP and leave the FullAWSAccess
SCP
still attached, and specify "Effect": "Deny"
in the second SCP to
override the "Effect": "Allow"
in the FullAWSAccess
policy (or any
other attached SCP), then you are using the authorization strategy of
blacklisting.
This operation can be called only from the organization's master
account.