AWS Security ChangesHomeSearch

AWS organizations medium security documentation change

Service: organizations · 2025-10-28 · Security-related medium

File: organizations/latest/userguide/orgs_manage_policies_scps_syntax.md

Summary

Updated SCP syntax examples, corrected formatting in tables, restructured policy examples (swapped allow/deny examples), added clarification about Resource element usage in Allow vs Deny statements, and reordered unsupported elements list.

Security assessment

The changes clarify security-critical SCP syntax restrictions (e.g., Resource element limitations in Allow statements) and correct policy examples that enforce regional restrictions and principal-based access. These updates directly impact how security controls are implemented through SCPs.

Diff

diff --git a/organizations/latest/userguide/orgs_manage_policies_scps_syntax.md b/organizations/latest/userguide/orgs_manage_policies_scps_syntax.md
index 2dbc45f86..d5a6e7a56 100644
--- a//organizations/latest/userguide/orgs_manage_policies_scps_syntax.md
+++ b//organizations/latest/userguide/orgs_manage_policies_scps_syntax.md
@@ -30,3 +30,3 @@ Version | Specifies the language syntax rules to use for processing the policy.
-Condition | Specifies conditions for when the statement is in effect. |  `Allow`, `Deny`  
-NotAction |  Specifies AWS service and actions that are exempt from the SCP. Used instead of the `Action` element. |  `Allow`, `Deny`  
-Resource | Specifies the AWS resources that the SCP applies to. |  `Allow`, `Deny`  
+Condition | Specifies conditions for when the statement is in effect. |  `Allow,``Deny`  
+NotAction |  Specifies AWS service and actions that are exempt from the SCP. Used instead of the `Action` element. |  `Allow,``Deny`  
+Resource | Specifies the AWS resources that the SCP applies to. |  `Allow,``Deny`  
@@ -156 +156 @@ You can specify a `Condition` element in allow and deny statements in an SCP.
-The following example shows how to use a condition element with a deny statement in an SCP to restrict access to any operations outside the `eu-central-1` and `eu-west-1` Regions, except for actions in the specified services. 
+The following example shows how to use a condition element with an allow statement in an SCP to permit specific principals to access AWS services.
@@ -163,4 +163,8 @@ The following example shows how to use a condition element with a deny statement
-                "Sid": "DenyAllOutsideEU",
-                "Effect": "Deny",
-                "NotAction": [
-                    "cloudfront:*",
+             "Sid":"AllowServicesForSpecificPrincipal",
+             "Effect":"Allow",
+             "Action":[
+                "ec2:*",
+                "s3:*",
+                "rds:*",
+                "lambda:*",
+                "cloudformation:*",
@@ -168,2 +172 @@ The following example shows how to use a condition element with a deny statement
-                    "route53:*",
-                    "support:*"
+                "cloudwatch:*"
@@ -173,4 +176,3 @@ The following example shows how to use a condition element with a deny statement
-                    "StringNotEquals": {
-                        "aws:RequestedRegion": [
-                            "eu-central-1",
-                            "eu-west-1"
+                "StringEquals":{
+                   "aws:PrincipalArn":[
+                      "arn:aws:iam::123456789012:role/specific-role"
@@ -184 +186,7 @@ The following example shows how to use a condition element with a deny statement
-The following example shows how to use a condition element with an allow statement in an SCP to permit specific principals to access AWS services.
+The following example shows how to use a condition element with a deny statement in an SCP to restrict access to any operations outside the `eu-central-1` and `eu-west-1` Regions, except for actions in the specified services. 
+
+JSON
+    
+
+****
+    
@@ -191,8 +199,4 @@ The following example shows how to use a condition element with an allow stateme
-             "Sid":"AllowServicesForSpecificPrincipal",
-             "Effect":"Allow",
-             "Action":[
-                "ec2:*",
-                "s3:*",
-                "rds:*",
-                "lambda:*",
-                "cloudformation:*",
+                "Sid": "DenyAllOutsideEU",
+                "Effect": "Deny",
+                "NotAction": [
+                    "cloudfront:*",
@@ -200 +204,2 @@ The following example shows how to use a condition element with an allow stateme
-                "cloudwatch:*"
+                    "route53:*",
+                    "support:*"
@@ -204,3 +209,4 @@ The following example shows how to use a condition element with an allow stateme
-                "StringEquals":{
-                   "aws:PrincipalArn":[
-                      "arn:aws:iam::123456789012:role/specific-role"
+                    "StringNotEquals": {
+                        "aws:RequestedRegion": [
+                            "eu-central-1",
+                            "eu-west-1"
@@ -268,0 +276,2 @@ This statement in an SCP sets a guardrail to prevent affected accounts (where th
+In statements where the `Effect` element has a value of `Allow`, you can specify only "*" in the `Resource` element of an SCP. You can't specify individual resource Amazon Resource Names (ARNs). 
+
@@ -278 +287,7 @@ You can use wildcard characters such as asterisk (*) or question mark (?) in the
-The following example shows how to use an SCP to prevent IAM users and roles in affected accounts from modifying a common administrative IAM role created in all accounts in your organization.
+In statements where the `Effect` element has a value of `Deny`, you _can_ specify individual ARNs, as shown in the following example.
+
+JSON
+    
+
+****
+    
@@ -305,0 +321,3 @@ The following example shows how to use an SCP to prevent IAM users and roles in
+
+This SCP restricts IAM users and roles in affected accounts from making changes to a common administrative IAM role created in all accounts in your organization.
+
@@ -385,2 +402,0 @@ The following elements aren't supported in SCPs:
-  * `Principal`
-
@@ -388,0 +405,2 @@ The following elements aren't supported in SCPs:
+  * `Principal`
+