Service Control Policies (SCPs) are an AWS Organization level feature to restrict permissions across AWS Accounts.

They can be attached at the Organization Unit (OU) level or attached to a specific AWS Account, which enables you to manage baseline permissions in a central location.

You can use SCPs to create a permissions boundary, as they act as a filter, restricting access to AWS services. They allow you to DENY access only, and cannot be used for ALLOW actions.

SCPs also apply to the root user of the AWS Accounts which it's applied to, and as a result you should avoid adding SCPs to the Root Account. The reason for this is so you don't accidently lock yourself out, and your root account should already be sufficiently locked down.

SCPs are a powerful tool, and will override any local configuration. They are declared in a similar way to other IAM Policies, here is an example of restricting the ability to create EC2 instances:

    {
      "Version": "2012-10-17",
      "Statement": [
          {
              "Sid": "DenyEC2Instances",
              "Effect": "Deny",
              "Action": "ec2:RunInstances",
              "Resource": [
                  "arn:aws:ec2:*:*:instance/*"
              ]
          }
      ]
  }