AWS Control Tower creating duplicates. What is recommendation from AWS on deleting or renaming SCP's created via Control Tower

For the 1st question, The duplicate SCPs coming from Control Tower are expected behavior. Control Tower automatically attaches SCPs at the OU level when preventive controls [1] is enabled for that OU. So if the same set of controls enabled for multiple OUs, it will create duplicate SCPs for each to apply the same policies those OUs. I have ran couple tests on my end and confirmed the same behavior. If you create new OUs, and also use the same set of preventive control for this OU, most likely it will create new SCPs with the same policies.

Regarding 2nd and 3rd questions, de-duplicate the SCPs and changing the name of the SCPs can be safely done in terms of their impact on child accounts under the OU, the affect of these SCPs would remain the same as long as you attach the merged SCPs in the same way as the duplicates were originally attached at the OU level. However, It's important to note that since these SCPs are applied by Control Tower's preventive controls, such modifications might create a drift from the original controls, potentially leading to unexpected behaviors if you later apply new controls or disable current ones.

More specifically, if a duplicated SCP originally named 'aws-guardrails-XYZ' is renamed to 'Example-Controls', this new name is not recognized by Control Tower. For instance, if a control is disabled in Control Tower, it tries to remove the corresponding policy from the SCPs. But if it doesn’t find 'aws-guardrails-XYZ' because it's been renamed to 'Example-Controls', Control Tower might mark the action as complete even though the policy statement remains within 'Example-Controls'. I hope this illustration can describe the possible issue from changing name and merging policy. As a result, I advise against merging these policies to avoid future confusion.

Hope this help to answer your concern.