How can I increase the SCP character size limit or number of SCPs for an AWS Organization?

3 minute read

I want to increase the character limit for service control policies (SCPs) or attach more SCPs to an entity in an AWS Organization.

Resolution

The AWS Organizations service has a hard limit of five SCPs per account.

Use these methods to reduce the number of SCPs directly attached to an account to allow for additional restrictions in an Organization.

Consolidate multiple SCPs into a single SCP
Use SCP inheritance in the organizational unit's (OU) hierarchy

Consolidate multiple SCPs into a single SCP

Use this method if the size of the SCP is less than the policy size limit of 5,120 bytes.

Follow these recommendations to reduce the SCP size limit:

Review your SCPs and remove any duplicate permissions. For example, put all actions with the same Effect and Resource elements in one statement instead of in multiple statements.
Remove any unnecessary element such as the statement ID (Sid) because that element counts against the total number of characters allowed.
Use wildcards for actions with the same suffixes or prefixes. For example, the actions ec2:DescribeInstances, ec2:DescribeTags, and ec2:DescribeSubnets can be combined as ec2:Describe*.
Important: Using wildcards can create additional security risks in an Organization. Wildcards grant broad permissions, often for multiple resources. They can grant unintended permissions for users and roles in your Organization. Never apply permissions using this method to AWS Lambda functions. Be sure that you use wildcards only after performing due diligence.

Use SCP inheritance in the OU hierarchy

The five SCPs limit doesn't include SCPs that are inherited from the parent. You can use the inheritance structure of SCPs for OUs and member accounts to distribute SCPs across multiple OUs. For example, to deny IAM users or roles with your Organization's member accounts from accessing AWS services, set up your Organization structure like this example:

Root    <--- 1 full access SCP (1 directly attached)  
 |
OU1     <--- 1 full access, 4 deny SCPs (5 directly attached, 1 inherited)
 |
OU2     <--- 1 full access, 4 deny SCPs (5 directly attached, 6 inherited)
 |
Account <--- 1 full access, 4 deny SCPs (5 directly attached, 11 inherited)
 |
Bob

Permissions that are filtered by SCPs at each node of an Organization hierarchy are the intersection of directly attached and inherited SCPs. In this example, the AWS Identity and Access Management (IAM) user Bob in a member account has full access minus the services denied by the 12 deny-based SCPs. This approach is scalable because the maximum number of nested OUs that you can have within your Organization hierarchy is five. For more information, see SCP evaluation and Quotas for AWS Organizations.

Related information

Strategies for using SCPs

Topics

Management & Governance

Relevant content

SCPs - conditions for a specific OU?
Accepted Answer
rePost-User-1401648
asked 2 years ago
Can SCPs interfere with the account creation process via AWS Organizations API?
Paul Santus - TerraCloud
asked 3 months ago
Deploy SCPs to OUs
Arjun Goel
asked a month ago
Monitoring the service limitation usage throughout the AWS Organization
Accepted Answer
Sho SAITO
asked a month ago
Organisation resource based policy for delegated admin account principles to limit actions for SCPs based on suborganisation id.
Iknownothing
asked a year ago
How can I resolve the error "You have exceeded the allowed number of AWS accounts." for AWS Organizations?
AWS OFFICIALUpdated a year ago
How can I use SCPs and tag policies to prevent users in my AWS Organizations member accounts from creating resources?
AWS OFFICIALUpdated 2 years ago
What's the difference between an AWS Organizations service control policy and an IAM policy?
AWS OFFICIALUpdated 2 years ago
Why can't I join an organization in AWS Organizations?
AWS OFFICIALUpdated 2 years ago
How to use the AWS CLI to collect Cost Explorer Forecasting data per account for all accounts in an AWS Organization
EXPERT
Fernando_F
published 10 months ago