Unlock new possibilities: AWS Organizations service control policy now supports full IAM language
Security Blog
AWS Organizations has expanded the capabilities of Service Control Policies (SCPs) to support the full IAM policy language, introducing several significant enhancements:
- Support for conditions, individual resource ARNs, and the `NotAction` element
- Ability to use wildcards at the beginning or middle of Action element strings
- Implementation of `NotResource` element in both Allow and Deny statements
- Expanded flexibility in policy creation across AWS commercial and GovCloud regions
Key improvements include:
- More precise access control through advanced policy configurations
- Simplified policy management with more intuitive design options
- Enhanced ability to create granular resource and action restrictions
- Recommended use of explicit Deny statements for better security control
AWS recommends using IAM Access Analyzer to validate policies and ensure proper implementation of these new SCP capabilities.
The AWS News Feed is currently looking for gold sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.
Related articles
Sep 19
2025
2025
AWS Organizations supports full IAM policy language for service control policies (SCPs)
Sep 8
2025
2025
AWS Config now supports resource tags for IAM Policies
Dec 1
2025
2025
AWS announces IAM Policy Autopilot to help builders generate IAM policies from code
May 15
2026
2026
AWS Organizations now supports higher quotas for service control policies (SCPs)
The AWS News Feed is currently looking for silver sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.