SCP enforce policies into multiple accounts within an OU or multiple OUs. For example, dev department can only launch t2.small instances.

  • create multiple accounts
  • create organization units
  • move accounts into OU
  • apply SCP (allow and deny)
AWS Organizations SCP (Service Control Policy)

Basic Organizations CLI#

list active accounts

aws organizations list-accounts \
--query '[Accounts[?Status==`ACTIVE`]]'

list root organization

aws organizations list-roots

take note the parent id

export PARENT_ID=xxxx

list organization units

aws organizations list-organizational-units-for-parent \
--parent-id $PARENT_ID

Create Accounts and OUs#

create an account in each OU

aws organizations create-account \
--email \
--account-name me-account4

take note dev account id

export ME_ACCOUNT_ID = xxxx

create security and dev OUs and take note OU id

aws organizations create-organizational-unit \
--parent-id $PARENT_ID \
--name Dev
export DEV_OU_ID = xxx

move an account into an OU

aws organizations move-account \
--account-id $ME_ACCOUNT_ID \
--source-parent-id $PARENT_ID \
--destination-parent-id $DEV_OU_ID

close an account

aws organizations close-account \
--account-id $DEV_ACCOUNT_ID

Apply SCP to OUs#

require dev to use specific ec2 instance type

"Version": "2012-10-17",
"Statement": [
"Sid": "RequireMicroInstanceType",
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": ["arn:aws:ec2:*:*:instance/*"],
"Condition": {
"StringNotEquals": {
"ec2:InstanceType": "t2.micro"

create a scp

aws organizations create-policy \
--content file://policy.json \
--name SCPPolicyDemoFromCli \
--description test

take note policy id

export POLICY_ID=xxxx

attach scp policy to an OU

aws organizations attach-policy \
--policy-id $POLICY_ID \
--target-id $DEV_OU_ID \

aws organizations attach a default role to the account created within the unit. switch role and check permssion


deny dev to create dynamodb db table

"Version": "2012-10-17",
"Statement": [
"Sid": "DenyCreateDDBTable",
"Effect": "Deny",
"Action": "dynamodb:CreateTable",
"Resource": ["*"]

update policy

aws organizations update-policy \
--policy-id $POLICY_ID \
--content file://update_policy.json


  1. best practice scp

  2. scp examples