Service Control Policy for restricting certain write actions to specific regions only

Question

We would like to control which services are available for use in which accounts and regions while still being able to review everything:
- Allow ReadOnly across all services in all regions
- Allow Write on specified services in certain regions

We are aware of the general policy to [restrict actions not in specific regions](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples_general.html#example-scp-deny-region) but this is too restrictive and results in unnecessary confusion when users experience permission errors on various service dashboards.

Thus far we have been unable to construct an SCP, or combination of SCPs, that provide the intended effect given [the attachment and size limits.](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_reference_limits.html#min-max-values)

Is what we are looking for even possible with Service Control Policies alone?

We would like to avoid:
- Managing this via User/Role Permissions
- Having "Bypass" Roles as shown in the documented example above.

Answer

No, you cannot do this via SCPs alone. SCPs don't grant any actions, only allow that certain actions can be granted by identity policies, so you will have to have some identity policies involved.

Another problem you will run in to is that an explicit deny *anywhere* in [the policy evaluation logic](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html) will result in the action being denied, even if it is also allowed. This means that if you want *any* principals in an account to have an action (e.g. write to a specific region), then the SCPs must allow it.

Unless you scope your regions to specific accounts or OUs, you cannot implement what you want with SCPs.

Service Control Policy for restricting certain write actions to specific regions only

Relevant content