There are 2 strategies to apply Service Control Policies. Allow list (Whitelisting) and Deny list (Blacklisting) are available to apply SCP to accounts. These are filter permissions.
- Whitelisting (Allow list) – We specify access that is allowed. Everything else is blocked. For example by default FullAWSAccess is permitted for all roots , Organization Units and accounts. When we replace this permission with one that allows more limited set of permission for an account, users and roles in the account can then exercise only that level of permission. Even IAM policy cannot allow all action. If we set policy on the root , all accounts in the organization are affected by the restrictions. We can’t add them back at a lower level in hierarchy because SCP never grants permission, it only filters permission.
- Blacklisting (Deny list) – In this technique we specify access that is not allowed. By default AWS Organizations attaches an FullAWSAccess to all roots , Organization Units and Accounts. So we leave FullAWSAccess policy in place and attach explicitly deny access to restrict services. This overrides any allow of that action.