AWS Service Control Policy - SCP Inheritance

I had been working a lot on SCP to accomplish certain tasks, comparing with how it worked for me on access control policies of other softwares. The persons who worked on the access control policies like Windows Group Policy can face a little difficulty in implementing the AWS SCPs( Service Control Policies). With the advent of AWS Organization, SCP has become more popular and essential nowadays. Some of the points I found out on SCP are,

1. For an Allow to be enabled for a Service, the SCP with Allow of the Service has to be directly attached All OUs along the path.
2. Deny of of the Service is applied if a Deny SCP is attached to ANY of the OU along the path.
3. Deny takes precedence over Allow irrespective of Deny comes from implicit, explicit, direct or inherited.
4. Only Deny statements can include resources and conditions.

In my example I have ,

1. ROOT of AWS Organization.
2. IT OU under ROOT.
3. SUPPORT OU under IT OU.
4. An AWS member Account under SUPPORT OU.
5. FullAWSAccess SCP which Allow all access for the Service.
6. S3-Allow SCP which allow only full permission for S3.
7. EC2-Allow SCP which allow only full permission for EC2.
8. EC2-Deny SCP which denies EC2.

Let us see a Table to find out the cumulative result of the policies

Conclusion

We learned how AWS service control policy inheritance is worked and applied in different scenarios. We found out Allow/Deny precedence and how it they are working in a multi-OU scenarios.