SCPs

Service Control Policies are AWS Organizations policies that set maximum permission guardrails for all IAM entities (users, roles) in member accounts, regardless of what those entities' identity-based policies grant. SCPs cannot grant permissions — they only restrict.

They are used to enforce security baseline requirements like preventing member accounts from disabling CloudTrail, restricting which AWS regions services can be deployed in, and blocking creation of IAM users with long-lived credentials.