Why it matters
Budgets and alerts tell you when something expensive has already happened. Guardrails prevent many of those problems from happening in the first place.
Service Control Policies (SCPs) in AWS Organizations let you define what is allowed anywhere in your organization, regardless of individual IAM permissions. They’re a key tool for keeping cost risk under control at scale, and they also improve security posture by blocking risky actions, services, and Regions by default.
Block very large or unapproved instance types
Without guardrails, anyone with permission to launch EC2 instances can choose any size or family, including very large or non-standard instances that don’t fit your cost or architecture guidelines.
SCPs can:
- Deny
ec2:RunInstancesfor specific instance families or sizes (for example,p*,u-*, or sizes above a certain threshold) - Allow only approved instance families that the organization has standardized on
This keeps accidental or ad‑hoc use of high-cost instance types from showing up as surprise spend.
Block unused or unapproved services
Some services might be out of scope for your organization (for example, due to compliance, security, or cost control).
With SCPs you can:
- Deny actions for entire services that are not allowed (for example,
deny sagemaker:*if not in use) - Restrict experimental or high‑cost services to specific accounts or OUs
This focuses spend on the services you’ve intentionally chosen to support.
Block regions that are not in use
Running resources in unexpected Regions makes costs harder to track and can create data residency issues.
SCPs can:
- Deny actions in all Regions except a small approved set (for example,
us-east-1andeu-west-1) - Prevent accidental creation of resources in Regions you don’t monitor or intend to use
This keeps workloads and spend concentrated in the Regions your teams actually manage.
Learn more
For examples of SCPs you can adapt, see: