Overview SCPs Applied at the OU level Controlled by the organization master account Restrict actions which can be taken in an AWS account Control which AWS APIs are accessible Allowlist/denylist Invisible to users in the child accounts