Certified Security - Specialty

Sign Up Free or Log In to participate!

Allow specific user access in SCP


I am playing with SCP, and trying to implemented below steps:

1) I’ve create an organisation and defined a new ou under root (ORG1)

2) I’ve added the root user for the account 1111111111 under ORG1 

3) I’ve create an admin account in account 1111111111 with full admin privileges

4) Root organisation has the OOTB FullAWSAccess associated to it

5) I want to deny all the permissions to users (root account as well) in ou ORG1 expect for an IAM user – admin

6) I’ve defined below SCP in ORG1, but when I log into account 1111111111 with user admin, user hasn’t got any permission.

Could you please suggest if this scenario is feasible with SCP?



"Version": "2012-10-17",

"Statement": [


"Sid": "Statement1",

"Effect": "Deny",

"Resource": [










1 Answers

This is not correct per the AWS documentation. NotPrinciple is an unsupported syntax for SCP. It’s allowed on IAM ploicies, but not SCP. 

You would need to use a condition statement for what you are trying to do. 

Reference the bottom of this page of this link below for more details.


Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?