Service control policies (SCPs)

https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html

IAM policies apply at users and roles within an AWS account, but SCP apply to multiple accounts or organizations.

tip

SCP is a limit, not a permission, like permission boundaries.

Control what API actions are allowed in a given account.

https://digitalcloud.training/aws-scp-mastering-aws-service-control-policies