AWS Solutions Architect/training/Section 2: AWS Accounts and Organizations

• 4. Introduction
• 5. Hands-On Practice: Free Tier vs Sandbox
• 6. [HOL] Create Your AWS Free Tier Account
• 7. [HOL] Configure Account and Create a Budget and Alarm
• 8. [HOL] Setup Individual User Account
• 9. [HOL] Install Tools and Configure AWS CLI
• 10. AWS Organizations
• 11. [HOL] Create AWS Organization and Add Account
• 12. Service Control Policies (SCPs)
• 13. SCP Strategies and Inheritance
• 14. [HOL] Test SCP Inheritance
• 15. AWS Control Tower
• 16. [HOL] Create a Landing Zone

SCPs "deny" will override any higher up "allow" permissions. So even though an allow permission will cascade down through all Org Units, any explicit deny will also cascade and override allow.

You can choose your own strategy. By default an Organization will have the FullAWSAccess SCP attached to it and every OU and account. This is the 'Deny List Strategy' because you must override the 'default' allow full access with deny rules. On the other hand, you can remove (delete) this SCP and then you would have an 'Allow List Strategy' because you would need to specifically list each service you want to allow in the Organizations, OUs and Accounts.

AWS Control Tower allows you to setup and govern multi-account environments.