1 Answers
The SCP is allowing access to the services and actions that are ALREADY allowed. Such as you can have an account with full access to all services, then apply an SCP that restricts by Whitelisting only a select group of services. So, in essence, the SCP is "removing" access to any service not explicitly listed in the SCP. Maybe this link will help – https://aws.amazon.com/blogs/security/how-to-use-service-control-policies-in-aws-organizations-to-enforce-healthcare-compliance-in-your-aws-account/
Hi Josh, thanks for the clarification.
I agree with Josh’s answer. Whitelisting is not really a “permission” in itself. There is also a term called Blacklisting in SCP