Amazon Organizations supports full IAM policy language for service control policies (SCPs)
Amazon Organizations now offers full IAM policy language support for service control policies (SCPs), enabling you to write SCPs with the same flexibility as IAM managed policies. With this launch, SCPs now support use of conditions, individual resource ARNs, and the NotAction element with Allow statements. Additionally, you can now use wildcards at the beginning or middle of Action element strings and the NotResource element.
With these policy language enhancements, you can now create more concise and precise policies to implement sophisticated permissions guardrails across your organization. For example, you can restrict access to specific resources or define region-specific controls with condition statements. The enhanced functionality maintains backward compatibility with existing SCPs, so no changes to current policies are required.
The new feature is available in Amazon Web Services China (Beijing) Region, operated by Sinnet and the Amazon Web Services China (Ningxia) Region, operated by NWCD. To learn more about this feature, please visit Amazon Organizations User Guide.