1 Answers
SCP can be applied at the root level of the OU hierarchy, but SCP will not apply to the master/management account. "SCPs don’t affect users or roles in the management account. They affect only the member accounts in your organization." https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html
Yes, by default, an SCP named FullAWSAccess is attached to every organization root, OU, and account