Help Center> Organizations> User Guide> Managing SCPs> Overview of an SCP> SCP Introduction
Updated on 2024-04-19 GMT+08:00
View PDF

SCP Introduction

Definition

Service control policies (SCPs) are a type of organization policy that you can use to manage permissions in your organization. The organization management account can use SCPs to limit the permissions that can be assigned to member accounts to ensure that they stay within your organization's access control guidelines. SCPs can be attached to an organization, OUs, and member accounts. Any SCP attached to an organization or OU affects all the accounts within the organization or under the OU.

Helpful links:

  • SCP Principles: SCP types, how SCPs work, inheritance of SCPs, and relationship between SCPs and IAM policies
  • SCP Syntax: SCP structure and parameters

Testing SCP Effects

Before applying an SCP in your production environment, it is strongly recommended that you use test accounts to conduct test cases in a test environment to perform thorough system design and testing. This helps avoid unnecessary impacts on the use of service resources in the production environment. After the test environment is fully verified, you can create an OU and move one or a few accounts into it at a time, to ensure that the use of resources is not inadvertently interrupted.

Do not detach the system-defined SCP named FullAccess unless you replace it with a custom policy with allowed actions. If you detach FullAccess and configure a custom policy with allowed actions, you must configure actions required by services as well as iamToken::* and signin::*.

  • If you detach the FullAccess SCP from the root OU, the operations for all accounts in the organization will fail. Detaching the FullAccess SCP is highly risky. Exercise caution with this operation.
  • If you detach the FullAccess SCP from an OU, the operations for the accounts in that OU and its lower-level OUs will fail.
  • If you detach the FullAccess SCP from a member account, the operations for that account will fail.

Tasks Not Restricted by SCPs

You cannot use SCPs to restrict the following tasks:

  • Any action performed by the organization management account or IAM users.
  • Any action performed using permissions that are attached to a service-linked agency
  • Any API calls made by SCP-unsupported cloud services to SCP-supported cloud services For SCP-supported cloud services and regions, see Cloud Services for Using SCPs and Regions for Using SCPs.
  • Token obtained by APIs used for access to APIs of SCP-supported cloud services
Parent topic: Overview of an SCP