Which type of policy is used to manage permissions within an AWS organization?

Service control policies (SCPs) are fundamental in managing permissions within an AWS organization. They allow administrators to define the maximum available permissions for member accounts in an organizational unit (OU) and enforce rules across the accounts. SCPs act as a filter for AWS Identity and Access Management (IAM) policies, ensuring that accounts can only perform actions allowed by the policies set at the organization level.

SCPs are applied at the organization level rather than at the individual user or resource level, making them an effective tool for centralized governance and compliance management. This ensures that even if hierarchical IAM policies allow certain actions, if those actions exceed the permissions defined in the SCP, they will be denied.

Understanding the function of SCPs is crucial for maintaining security and operational boundaries within large AWS environments, enabling organizations to apply consistent permission levels across various teams and departments while ensuring adherence to organizational policies.