AWS Certified Solutions Architect - Professional 2020

Sign Up Free or Log In to participate!

Why is this action denied?

In this Reinvent video about IAM policies, why is the request at 14:30 denied?

I understood if there is no SCP, there is no guardrail so no actions would be denied.

1 Answers

Hey Jordi

That’s a great video from Brigid Johnson from the Identity team.  In this case Brigid is demonstrating how there is a top-level of permission granted in the AWS account using an ‘SCP’.  SCPs define the maximum permission level allowed in the account.  Your SCP for your account must grant an ALLOW permission in order for any entities underneath that SCP (i.e. an IAM role) to be granted permission at the permission policy level.

In many AWS accounts you might find that the SCP has been left as: 

    "Version": "2012-10-17",

    "Statement": [


            "Effect": "Allow",

            "Action": "*",

            "Resource": "*"




via the FullAWSAccess AWS-managed SCP.

FullAWSAccess allows any entity underneath can be given ALLOW or DENY for various services.  At the top level, any entity is allowed to be granted anything else.  

If you were to delete your SCP(s) which grants access, then no combination of resource policies or user permission policies under it are going to work.  In Brigid’s example, at 14:30, she asks what would happen if Casey deletes the SCP (which is the box on the left of her diagram) and the audience rightly answer that all access would be lost (DENIED!!!!)

SCPs can be used with AWS Organisations to set permission boundaries for a whole account. For example you might set permission guardrails using SCPs for your Development AWS account to limit the instance types available, and to only grant access to services in the us-east-1 region.  That idea is explained more here: 

I hope that clarifies for you!  Hit the community up if you need any more explanation..


Jordi Codina Claret

Thanks Jonathon! It makes sense. Somehow I had assumed you by default have the FullAWSAccess AWS-managed SCP as the default, which now I understand is not the case.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?