Setting up SCPs
As mentioned earlier, the intention behind SCPs is similar to that of IAM permissions boundaries, that is, to limit the perimeter of what is allowed to be done at an account level, an OU level, or an organization level.
SCPs offer central control over that maximum set of permissions that accounts in an OU or across your entire organization can have. However, it is important to understand that SCPs do not grant any permission to IAM entities (users and roles) in your accounts; they can only limit what the entities are allowed to do.
You can attach multiple SCPs (up to five) at any one time to the same organization, OU, or account. SCPs add up from the root structure down to each OU until the account level. Remember how SCPs work: they limit the scope of the possible permissions entities can have at any level. Thus, to determine what account IAM entities (roles or users) are entitled to do, you must travel down the organization tree and look at the intersection...
