An Service Control Policy defines the AWS service actions, such running EC2 Instances, that are available for use in different accounts within an organization.

In order to use SCP your Organization must have All-Features enabled.

It is worth remembering that SCP do not grant permissions!, they control the maximum available permissions, they set a boundary of permission.

SCP affect principals managed by your accounts in your organisation, they do not affect resource-based policies.

Remember that SCP are guard-rails to the what is permitted by IAM User and Role Policies (see previous post about IAM for more info).

By default AWS Organizations cascades a FullAWSAccess policy to every OU and account ( meaning that no particular boundary is applied). Organisations uses Deny List strategy - therefore if you want to set a boundary on some permissions you need to

add an explicit Deny List in whatever point of the hierarchy (root, OUs and individual accounts).

It is possible though to remove the FullAWSAccess and therefore having a Allow List strategy.

This means that you have to create SCPs to allow permissions and attach them to every account and every OU above it.