1 Answers
SCPs are service boundaries. When a service is allowed in SCP, it does not mean an identity is "allowed" to perform operations.An identity can only perform operations on that service only when it has sufficient policies in place.
But, when a service is denied in SCP, it means any identity is denied to perform any operations ( even if it has explicit policies in place).
So long answer short, SCPs are used to Deny only.