How can I increase the SCP character size limit or number of SCPs for an AWS Organization?

Last updated: 2022-02-22

I want to increase the character limit for service control policies (SCPs) or attach more SCPs to an entity in an AWS Organization.

Short description

The maximum size for SCPs policy documents is 5,120 bytes. The maximum number of SCPs that can be attached to organizational units (OUs), root, or account is five. For more information, see Quotas for AWS Organizations.

Resolution

If you reached the SCP character size limit or maximum number of SCPs limit for an Organization, then use the following best practices based on your use case.

Reduce the SCP size to stay below the 5,120 bytes character limit

Review the SCPs and remove duplicate permissions. For example, put all actions with the same Effect and Resource elements in one statement instead of multiple statements.

Remove unnecessary elements such as Sid because they count against the total number of characters allowed.

Use wildcards for actions with the same suffixes or prefixes. For example, the actions ec2:DescribeInstances, ec2:DescribeTags, ec2:DescribeSubnets can be combined as ec2:Describe*.

Use SCP inheritance in the OU hierarchy

The five SCPs limit doesn't include SCPs that are inherited from the parent. You can use the inheritance structure of SCPs for OUs and member accounts and distribute SCPs across multiple OUs. For example, if you want to deny IAM users or roles with the member accounts of your Organization from accessing AWS services, you can set up your Organization structure as follows:

Root    <--- 1 full access SCP (1 directly attached)  
 |
OU1     <--- 1 full access, 4 deny SCPs (5 directly attached, 1 inherited)
 |
OU2     <--- 1 full access, 4 deny SCPs (5 directly attached, 6 inherited)
 |
Account <--- 1 full access, 4 deny SCPs (5 directly attached, 11 inherited)
 |
Bob

Permissions that are filtered by SCPs at each node of an Organization hierarchy are the intersection of directly attached and inherited SCPs. The effective permissions allowed for IAM user Bob in a member account are full access minus services denied by the 12 deny based SCPs. This approach is scalable as the maximum number of nested OUs that you can have within your Organization hierarchy is five. For more information, see Inheritance for service control policies. Important: No permissions are granted by an SCP. The administrator must attach identity-based or resource-based policies to IAM users or roles, or to the resources in your accounts to grant permissions. For more information, see Service control policies (SCPs).