We can prevent accounts from accessing services through the use of SCP.
If you apply a SCP to an Organizational Unit (OU), everything down the tree will be affected.
Navigate to the ‘Policies’ section of AWS Organizations:
Select ‘Create policy’:
Give it a policy name and description of what it will do:
For this example I will be allowing all services while denying EC2 and Budgets:
Navigate back to the main page in AWS Organisations and select which Organizational Unit (OU) you want to apply the policy to. We will be using the PROD OU:
Select the polices tab and select ‘Attach’:
Select the SCP you created earlier and click on ‘Attach policy’:
Now that the SCP has been attached, you can navigate into the targeted account and notice that EC2 has been denied:
Going into Budgets also show that it has been denied:
You can now create and apply SCPs to OUs, effectively allowing or denying access on an organizational scale.