SCP policy with negative condition

This SCP (Service Control Policy) Deny policy is designed to restrict certain actions for IAM principals (users or roles) based on two negative conditions:

NotAction: Specifies the actions that are not allowed. In this case, the SCP denies all actions except those related to budgets, support, and WAF (Web Application Firewall).

Condition: Contains two conditions that must not be met for the policy to take effect:

StringNotEquals: Checks if the requested AWS region is not "us-east-1". This means that the policy allows actions only if they are requested in the "us-east-1" region.

ArnNotLike: Checks if the IAM principal's ARN (Amazon Resource Name) is not like the specified patterns. It uses wildcard patterns to match ARNs of IAM roles named "abc" or "cde" in any AWS account.

In summary, this SCP Deny policy allows actions related to budgets, support, and WAF, only if they are requested in the "us-east-1" region and if the IAM principal's ARN does not match the patterns specified for roles named "abc" or "cde". For all other actions, the policy denies access regardless of the requested region or IAM principal.

This might help too :- https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_syntax.html