In the AWS Organizations & Service Control Policies lecture , Faye states that SCPs are deny only (03:19). But, we can Allow too?
There is an AWS article that shows how SCPs can be used (Whitelist or Blacklist)
Could you please clarify?
SCPs are service boundaries. When a service is allowed in SCP, it does not mean an identity is "allowed" to perform operations.An identity can only perform operations on that service only when it has sufficient policies in place.
But, when a service is denied in SCP, it means any identity is denied to perform any operations ( even if it has explicit policies in place).
So long answer short, SCPs are used to Deny only.